Threat actors are constantly employing new tricks while also maintaining their old tried-and-tested tactics. One such evergreen tactic, is to deploy malicious duplicates of popular Android Apps in the Playstore. We came across one such band of malicious apps tagged as Facebook Credential stealer, aka Facestealer. A swatch of such malicious apps that we came across on the Playstore, is shown in the figure below.

What is Facestealer?

Facestealer is a family of Android Trojans that takes advantage of Social Engineering tricks to steal Facebook Confidential information like username and password. These malicious apps were initially distributed via Google Play and through Third Party app stores.

The following Facestealer samples were discovered recently on Google Play store which have now been removed.

• Fresh Desktop
• Oxagon Lighting Wallpaper Edge
• Photo Collage Editor
• Photo Maker
• Pics Art
• Prowire VPN – Secure Proxy
• Pumpkin VPN
• Secure VPN Pro
• Smart Scanner
• Snap Beauty Camera
• Snap Editor Pro
• Super-Click VPN
• Touch VPN Proxy
• YouPerfect Camera
• YourWallpaper

Technical Analysis

In this blog, we will be analyzing the sample com.friendtrip.smartscanner. Upon execution, the installed app launches Facebook’s official landing page and then ask the user to login with their Facebook account as shown in the Figure 2.

The malicious app uses Android WebView object’s loadUrl API to launch the Facebook’s official page as shown in the Figure 3.

Once the Facebook’s official page loads into the WebView object, the malware injects malicious JavaScript code into that page and extracts all the necessary information like account, password, user-agent and cookie information as shown in the Figure 4 .

When the user enters the credentials into the Facebook’s login page, the facestealer malware requests for configuration file from a C&C server hxxp://webtrace[.]club/beacon as shown in the Figure 5:

Once the above request is succeeded, this malware collects and POST user account, password,  cookie information to the C&C server hxxp://webtrace[.]club/api_v0/udata as shown in the following Figure 6:

Mitigations

• Always use the Official App Store to download apps
• Carefully read the user reviews before installing the apps
• Ensure you protect your device and data by using a reputable security product like K7 Mobile Security and keeping it up-to-date, to scan all the downloaded apps, irrespective of the source

 At K7 Labs, we are constantly protecting our users with near real-time monitoring of Facestealer malware.

Indicators of Compromise (IoCs)

Infected Package Name on Google Play Store	Hash	Detection Name
com.beautyselfie.photo.camera	BF63CC224C9CC17D768156EA74EE16BB	Trojan ( 0058d3f41 )
com.oxagon.edge	0ED449F32AB9F2C8CD68F8C9D5550E1B	Trojan ( 0058d3f51 )
com.pumpkinvpn.proxysafen	CB9D2B020289B038C681D4EFDB100B0C	Trojan ( 0001140e1 )
com.snapins.camerabeautya	2E968BB73A13D0A7C202EDC797763D2F	Trojan ( 0058d3f41 )
com.touchvpn.proxy	00B22E3E10F2F5C0EAA40587D2E4D6D6	Trojan ( 0056e5201 )
com.artnes.story.videosplitter	78040374ADAC35EE23FF6BD959F8BDE7	Spyware ( 0058cb9d1 )
com.friendtrip.smartscanner	38A72E3B36C4B44BF22C0CE78EC668D1	Spyware ( 0058d2c21 )