Trend Micro researchers spotted over 200 Android apps on the Play Store distributing spyware called Facestealer used to steal sensitive data from infected devices. The malicious apps are able to steal credentials, Facebook cookies, and other personally identifiable information.
Some of the malicious apps discovered by the experts have been installed over a hundred thousand times.
The Facestealer spyware was first spotted on July 2021 by Dr. Web researchers, the development team behind the threat has frequently changed its code.
Most of the malicious apps were VPN software (42), followed by Camera (20), and Photo Editing (13).
Trend Micro researchers also discovered 40 fake cryptocurrency miner apps that are variants of similar apps that they discovered in August 2021. The apps deceive users into subscribing to paid services or clicking on ads.
“Facestealer apps are disguised as simple tools — such as virtual private network (VPN), camera, photo editing, and fitness apps — making them attractive lures to people who use these types of apps. Because of how Facebook runs its cookie management policy, we feel that these types of apps will continue to plague Google Play.” concludes the report published by Trend Micro. “As for the fake cryptocurrency miner apps, their operators not only try to profit from their victims by duping them into buying fake cloud-based cryptocurrency-mining services, but they also try to harvest private keys and other sensitive cryptocurrency-related information from users who are interested in what they offer. Looking into the future, we believe that other methods of stealing private keys and mnemonic phrases are likely to appear.”
The report includes Indicators of compromise (IOCs) for these malicious apps.
Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform
(SecurityAffairs – malware, Facestealer)