Once again, Google has been forced to remove apps from its Play Store after their true malicious functions were discovered. In this instance, 25 applications that were collectively downloaded over 2.34 million times were stealing Facebook credentials.
French Cybersecurity firm Evina discovered the apps, which were removed from the Play Store in early June. The programs were disguised as games, flashlights, wallpapers, editing software, QR scanners, step counters, file managers, and more, and while most did perform their intended functions, they also carried out malicious acts.
Evina writes that when an app was launched on an infected phone, the malicious code would query its name. If it was Facebook, the malware would launch a browser that loads a fake login page on top of the official app. When a user entered their details, they would be logged by the malicious app and sent to a remote server.
Grabbing someone’s Facebook login could allow a bad actor to access the account and all the personal info it holds. The hackers could also check to see if the same credentials were used across multiple websites.
“This malware could effectively ruin your online and offline life by making off with the credentials of one of your most valued pieces of digital real estate,” wrote Evina.
Other apps, which ZDNet reports all came from the same threat group, would perform different unwanted actions, such as overwhelming users with ads and opening up new browser tabs.
The malicious apps were identified by Evina in May and reported to Google soon after. It remains unclear how many people had their Facebook credentials stolen, or how the apps evaded Google’s checks and made their way onto the Play Store.