It seems that all measures taken by Google to secure Play Store from malware spreading apps are going in vain. A recent report by leading antivirus firm, Trend Micro disclosed that a total of 53 apps on Play Store are guilty of spreading malware named as GhostTeam. The malware is purposely designed to steal Facebook login ID and password along with popping of annoying intrusive advertisements.
The apps which were flagged as malicious are the normal utility apps such as compass, QR code scanner, flashlight, cleaners along with video downloaders for downloading video from various social sites.
How these Malicious Apps Make Their Way to Play Store?
As we all know that Google has its own set of standards for security and that too very high. However, since these apps are like normal utility apps which themselves don’t contain any malicious code, goes undetected by various security checks and published at Play Store. These apps once installed, performs a check that the platform on which they are installed is a real device or just an emulator. Once confirmed they download a piece of malicious code to be executed at runtime and force users into downloading other apps.
Img Src: Avast.com
However, once reported all these apps are immediately removed from Play Store by Google.
How This New Malware Steals Facebook User Id and Password?
Once the malware confirms that the target device is not an emulator but a real device, download the payload from its servers. The payload that pretends itself as a legitimate Google Play Services and waits for the user to open his Facebook or Google Play account. After user opens his Facebook account then the malware urges the victim via a fake prompt to install illegitimate Google Play Services which it has already downloaded.
Once the malware trapped the user in installing the fake Google Play Services then it also urges the user to enable device administrator.
Now, as per their daily routine when user opens his Facebook account via Facebook app the malware automatically prompts a dialogue asking user to reauthenticate his Facebook credentials.
The malware uses one of the oldest and traditional methods of phishing by launching a WebView component with a login page that is similar to the original Facebook login page. Once user validates his account by typing his Facebook login id and password the WebView client steals the same and transfers it to the server which is being controlled by some hackers.
Apart from stealing Facebook credentials these apps also bombard user’s screen with annoying advertisements.
What the Attackers Will do With the Stolen Facebook Credentials?
As per the security researchers of Trend Micro these stolen credentials can be later used by the attackers to deliver more damaging malware in the future. Moreover, these credentials can be used to amass a zombie social media army to distribute fake news in various part of the world along with crypto-mining malware.
Also as Facebook accounts sometimes may contain sensitive data, can be sold in the underground to fulfill nefarious purposes.
Who is Behind GhostTeam Malware?
Security researchers though not 100% sure, feel that this piece of malware is developed by some Vietnamese developer as the code contains mainly Vietnamese language. Also, the apps which are marked as culprit have their description posted in the Vietnamese language on Play Store.
Talking about target area, the researchers reported that the user base which is mainly affected by this malware comes from India, Brazil, Indonesia, Philippines and obviously from Vietnam.
How to Protect Yourself From Such Malware Apps?
Though Google itself unable to stop these apps from entering Play Store it doesn’t mean that we can’t protect ourselves from this malware.
As Play Store is an ocean of apps, one must be quite aware before making a selection between them. Always try to install the app that is designed by a legitimate company or the company you trust. Also before installing any app on your device review all the permission that is asked by the app. Never turn off Google Play Protect as it regularly checks your device for any harmful apps that might be installed on your device.
And last but not the least thing that we advise our readers is to install an antivirus app on your device. These antivirus apps block all type of infections from entering your device. Also, make sure to keep antivirus updated app along with your device updated.
Next Read: 10 Best Android Cleaning Apps