9 Android apps have been removed from Google’s Play Store after security researchers found out they sneakily stole Facebook login credentials from its users. These apps had been downloaded more than 6 million times in total.
The apps apparently offered fully functional features for editing and framing photos, training and exercise, horoscopes, and removing cache/junk files from Android devices, according to a post by security firm Dr. Web.
To disable in-app advertisements, users are offered to log in to their Facebook accounts. Those who opted for it got a real Facebook login form containing usernames and passwords. However, they are hijacking the login process to steal the username and password inputs, in addition to the cookies of the authorized session. All the data were sent to the hacker’s servers.
- 7 best sources for APK downloads: Google Play Store alternatives
- Most common mobile malware in the Philippines
Here’s the list of Android apps and its number of downloads.
- App Lock Manager: 10 downloads
- Horoscope Pi: 1,000 downloads
- Lockit Master: 5,000+ downloads
- App Lock Keep: 50,000+ downloads
- Inwell Fitness: 100,000+ downloads
- Rubbish Cleaner: 100,000+ downloads
- Horoscope Daily: 100,000+ downloads
- Processing Photo: 500,000+ downloads
- PIP: 5.8 million downloads
As of writing, all the malicious applications mentioned above have been removed by Google Play. Developers responsible for uploading them have been banned as well. But that’s not really going to prevent any future security breaches, because the shady developers can simply open up a new developer account using a different name for just a one-time fee of $25.
If Google is really serious about doing something about this, they have to tighten the security audit for apps and games submitted to the Play Store. Otherwise, it will continue to happen over again.