Researchers find 53 apps distributing malware for stealing Facebook credentials – some of which have been active since April 2017 and have been downloaded over 100,000 times.
Malware which aims to steal Facebook login credentials while also aggressively displaying pop-up adverts has been uncovered targeting Android users via the Google Play store – and may have been downloaded by hundreds of thousands of unwitting victims.
Dubbed GhostTeam after strings in the code by the analysts at security company Trend Micro which uncovered it, the malware was first published in April 2017 and has been disguised in the official Android marketplace as utility apps, performance boosters and social media video downloaders.
A total of 53 applications have been identified as distributors of GhostTeam malware and while there’s no exact figure on how many have inadvertently compromised their device, one malicious app — advertised as a means of downloading videos from Facebook — has been downloaded between 100,000 and 500,000 times.
While it’s not clear why the attackers are going after Facebook accounts for, researchers suggest that they could be used for anything from distributing additional malware, to mining cryptocurrency to using the social media platform to spread fake news.
After being downloaded, the GhostTeam firsts checks to ensure it isn’t running in an emulator or virtual environment – a strategy likely employed by the developers to ensure their malware code is difficult to examine.
Once it’s been verified that the download is being made to a regular Android device, the payload is dropped, disguised as ‘Google Play Services’ making a false claim about needing to verify an app.
After this, if the user opens Google Play or Facebook, the user is asked to install this fake version of Google Play Services, which then asks for administrative privileges, giving GhostTeam control of the device.
When the infected user next opens their Facebook app, they’re asked to verify their account using what looks like the standard login procedure. However, behind the scenes, malicious code is injected into a WebView client, allowing for the theft of the email address and password entered, with the data sent to a command and control server.
If no two-factor authentication is applied, this puts the Facebook account into the hands of the attackers to use as they see fit. While campaigns using the stolen credentials have yet to be seen in the wild, “it’s not farfetched to think they would,” said Kevin Sun, Mobile Threat Analyst at Trend Micro.
In addition to stealing Facebook credentials, GhostTeam also aggressively pushes full-screen pop up ads to the victim – most likely as a means of generating revenue from clicks. In order to push the highest number of adverts possible, it displays full-screen ads on the home-screen when the user is interacting with the device. It also keeps the device awake by showing adverts in the background.
The highest percentage of GhostApp’s victims are in India – which recently overtook the United States as the country with the most Facebook users. That providers the attackers with a large base of potential victims to steal accounts from. A significant number of infections have also been uncovered in Indonesia, Brazil, Vietnam, Australia and the Philippines.
Researchers suggest the malicious apps could be the product of cyber criminals in Vietnam, because of “considerable use” of Vietnamese language in the code. Within Vietnam, the default language of the malicious apps are set to Vietnamese, while outside of Vietnam it reverts to English.
Trend Micro disclosed the findings to Google and all of the malicious GhostTeam apps have now been removed from the Google Play. ZDNet contacted Google for a statement, but hadn’t received a response at the time of publication.
Facebook has also been made aware of the account stealing malware. “We are blocking the distribution of these apps where we can and we have systems to help detect compromised accounts and credentials,” said a Facebook spokesperson.
Users can try to avoid being infected by Android malware by keeping their device patched and up to date and by checking the authenticity and reviews of apps before downloading them.
Those who fear their device has been compromised by GhostTeam can mitigate it by disabling the device administrator features – and should be move to change their Facebook login credentials in order to prevent attackers from having continued access to it.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.