Researchers from Dr. Web have found nine apps with more than 5.8 million combined downloads that were sneakily stealing user’s Facebook passwords using a genuine Facebook login page. As of writing, Google has banned the developer and removed these nine apps from the Play Store, but if you’ve downloaded any of them, it’s time to change your passwords.
How did the apps steal the data?
According to the researchers at Dr. Web, the developer, chikumburahamilton, created fully functional apps for photo editing, exercising, horoscopes, and junk cleaning (among others). After a point, these apps would prompt users to log in using Facebook to unlock the full functionality of the app.
When users did that, the app would kick in their own C&C server (a Command-and-Control server controlled by the developer used to copy and store data from a webpage). After receiving the settings from the C&C server, the app loaded then loaded the legitimate Facebook login page.
What can you do about it?
The first thing you should do is to check if you were running one of these nine apps:
App Lock Keep
App lock Manager
If you have any of these apps installed, the first step is to uninstall the application.
Then, if you used Facebook login with the app, you need to reset your password immediately.
Next, stay vigilant. Use a trusted anti-virus application like Malwarebytes to detect apps with malicious code. If possible, avoid connecting third-party services like Facebook with random apps downloaded from the Play Store. Because of the way Play Store works, it’s trivially easy for developers to reenter and resubmit apps even after they are taken down (a developer licence only costs $US25 ($32)).
Lastly, turn on two-factor authentication for any site that allows it, and pair it with a password manager. This will help you generate and store long passwords securely. And even if a website leak reveals your password, two-factor authentication will protect you from hackers.