Threat actors are constantly employing new tricks while also maintaining their old tried-and-tested tactics. One such evergreen tactic, is to deploy malicious duplicates of popular Android Apps in the Playstore. We came across one such band of malicious apps tagged as Facebook Credential stealer, aka Facestealer. A swatch of such malicious apps that we came across on the Playstore, is shown in the figure below.

Figure 1:  Malicious Facestealer Apps from Google Play Store

What is Facestealer?

Facestealer is a family of Android Trojans that takes advantage of Social Engineering tricks to steal Facebook Confidential information like username and password. These malicious apps were initially distributed via Google Play and through Third Party app stores.

The following Facestealer samples were discovered recently on Google Play store which have now been removed.

  • Fresh Desktop
  • Oxagon Lighting Wallpaper Edge
  • Photo Collage Editor
  • Photo Maker
  • Pics Art
  • Prowire VPN – Secure Proxy
  • Pumpkin VPN
  • Secure VPN Pro
  • Smart Scanner
  • Snap Beauty Camera
  • Snap Editor Pro
  • Super-Click VPN
  • Touch VPN Proxy
  • YouPerfect Camera
  • YourWallpaper

Technical Analysis

In this blog, we will be analyzing the sample com.friendtrip.smartscanner. Upon execution, the installed app launches Facebook’s official landing page and then ask the user to login with their Facebook account as shown in the Figure 2.

Figure 2: Asking the user to Login with Facebook credentials

The malicious app uses Android WebView object’s loadUrl API to launch the Facebook’s official page as shown in the Figure 3.

Figure 3: Launch the Facebook’s official page via WebView

Once the Facebook’s official page loads into the WebView object, the malware injects malicious JavaScript code into that page and extracts all the necessary information like account, password, user-agent and cookie information as shown in the Figure 4 .

Figure 4: Collects confidential information

When the user enters the credentials into the Facebook’s login page, the facestealer malware requests for configuration file from a C&C server hxxp://webtrace[.]club/beacon as shown in the Figure 5:

Figure 5: Request for Configuration file from C&C Server

Once the above request is succeeded, this malware collects and POST user account, password,  cookie information to the C&C server hxxp://webtrace[.]club/api_v0/udata as shown in the following Figure 6:

Figure 6: POST user Credentials to C&C Server


  • Always use the Official App Store to download apps
  • Carefully read the user reviews before installing the apps
  • Ensure you protect your device and data by using a reputable security product like K7 Mobile Security and keeping it up-to-date, to scan all the downloaded apps, irrespective of the source

 At K7 Labs, we are constantly protecting our users with near real-time monitoring of Facestealer malware.

Indicators of Compromise (IoCs)

Infected Package Name on
Google Play Store
HashDetection Name ( 0058d3f41 )
com.oxagon.edge0ED449F32AB9F2C8CD68F8C9D5550E1BTrojan ( 0058d3f51 )
com.pumpkinvpn.proxysafenCB9D2B020289B038C681D4EFDB100B0CTrojan ( 0001140e1 )
com.snapins.camerabeautya2E968BB73A13D0A7C202EDC797763D2FTrojan ( 0058d3f41 )
com.touchvpn.proxy00B22E3E10F2F5C0EAA40587D2E4D6D6Trojan ( 0056e5201 )
com.artnes.story.videosplitter78040374ADAC35EE23FF6BD959F8BDE7Spyware ( 0058cb9d1 )
com.friendtrip.smartscanner38A72E3B36C4B44BF22C0CE78EC668D1Spyware ( 0058d2c21 )

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “Facestealer – The Rise of Facebook Credential Stealer Malware”