Apps from Google Play specialize in stealing Facebook credentials


Fig. Cowboy Adventure app on Google Play.

Fig. Jump Chess app on Google Play.
Unlike real malware for Android, which we examinedbefore, these applications contain the normal features specified in the description of the application. However, when launching these applications, they show the user a window in which they are prompted to enter the credentials of their Facebook account. In the case of this action, the entered credentials will be sent to the remote attacking server.

Fig. The fake Facebook credential entry window that the application displays.
The bad news is that at the time of the removal of this program from Google Play, its version was already 1.3. The application itself was available for download at least April 16, 2015, when it was once again updated. However, we are not sure that the first versions of this application contained these malicious features, we also do not know how many Facebook accounts were compromised.
Another application from the same developer is called Jump Chess and it was available for download a little earlier, from April 14, 2015. Jump Chess was much less successful, since it gained from 1 thousand to 5 thousand installations.
The good news is that Google has already removed both applications from the store, and also warns Android users about their installation on the device.

Fig. A warning window that the application being installed contains malicious activity.
Earlier, we pointed out that the security mechanisms of Android were significantly improved by Google, which reduces the risk of malware infection in this mobile OS. At the same time, they are still not enough to ensure the complete safety of the user of the mobile device.
Another good news is the fact that not all users who installed the above software on their devices entrusted him with their social network credentials. This is evidenced by negative user comments on applications.

Fig. Negative user comments on the Cowboy Adventure app.
Analysis of malicious applications shows that they were written in C # using the Mono Framework. Malicious code is located in the TinkerAccountLibrary.dll library. The application interacts with the C & C server through a secure HTTPS connection. To collect the stolen data by attackers, another server is used, known as the “Drop Zone”. The malware receives its address dynamically in the process.
To protect against this kind of unwanted programs, keep the following safety rules in mind.
- To download applications, use the proprietary Google Play resource, and not third-party stores or other unknown sources. Even if Google Play cannot protect the user from the installation of malware by 100%, he has serious security measures to control applications.
- Download applications only from trusted developers and track their rating, as well as comments of other users to them in the store. Cowboy Adventure fraudulent activity was quickly noticed by users who indicated this in the comments. You should also carefully look at the permissions that the application requests for its work.
- Use antivirus software for your device to help protect you from all kinds of malware. ESET Mobile Security antivirus product detects the specified applications as Android / Spy.Feabme.A .