This month, Google removed 25 Android apps from the Play Store because steal facebook accounts with passwords . At the time of removal of the application, a total of 2.34 million times were downloaded. Applications were equipped with legitimate functionality, but also contained malicious code.
The creator of all 25 applications is the same cybercriminal grouping. Despite the fact that the programs offered users different functions, they actually worked the same way. According to the report of the French information security company Evina, received by ZDNet reporters, cybercriminals presented their programs as pedometers, photo and video editors, flashlights, file managers and mobile games. They were equipped with legitimate functionality, but also contained malicious code.
Malicious code detected the last application opened by the user and launched in the background. If it turned out to be Facebook, on top of the official application a browser window would open on the screen with a fake Facebook login page. After the user entered their credentials, they were sent to the remote airshop.pw server (the domain is currently not working).
Evina experts notified Google of malicious applications at the end of May this year. The company removed them from the Play Store earlier this month after checking the data provided by the researchers. Some programs have been on the Play Store for over a year.
Google removed malware not only from its store, but also from users ’devices. In addition, relevant notifications were sent to all affected users through the Play Protect service built into the Play Store.