Facebook Users Beware: These Malicious Apps Can Steal Your Login Credentials; What Should You Do?

Security researchers and malware analysts at Dr. Web have discovered nine apps, with a collective download of over 5.8 million, that have been stealing Facebook passwords. While Google has already removed them and banned the developers, some users who have downloaded these apps may have been exposed.

Facebook users can do these simple tips and tricks to make sure that their privacy and security are intact. First, they should check if they are running any of the malicious apps that were removed by Google. This includes PIP Photo, Processing Photo, Rubbish Cleaner, Inwell Fitness, Horoscope Daily, App Lock Keep, Lockit Master, Horoscope Pi and App lock Manager.

If Facebook users have any of these apps, they should uninstall them immediately. If the apps required users to agree on its terms and conditions, they must reset their passwords as soon as possible. It is also crucial that users should be vigilant all the time.

Facebook users should use a reliable and trusted anti-virus product to detect apps bearing malicious code. If possible, they should also refrain from connecting third-party services like Facebook with any apps available on the Play Store. The Google app store is an easy place to sneak into and any developer can just submit their product after it was taken down.

Most importantly, Facebook users must activate the two-factor authentication. If the users' passwords are leaked online, the two-factor authentication will protect them from malicious actors and attackers. They could also pair it with a password manager to reinforce security.

A few days ago, Facebook users were alarmed when malware analysts at Dr. Web reported about "stealer trojans" that were spread as harmless apps. They were installed by almost 6 million users. The apps offered legitimate services like exercise and training, junk file removal and photo editing and framing.

These malicious apps provide Facebook users the ability to disable in-app ads by logging into their accounts. According to the analysts, "the advertisements inside some of the apps were indeed present and this maneuver was intended to further encourage Android device owners to perform the required actions."

Those who select the option can see the standard Facebook login page, but actually, the page is shown in WebView. Dr. Web revealed that hackers then "loaded JavaScript received from the C&C server into the same WebView. This script was directly used to hijack the entered login credentials."

This JavaScript, according to the analysts, would use "the methods provided through the JavascriptInterface annotation, passed stolen login and password to the trojan applications, which then transferred the data to the attackers’ C&C server." They added that "After the victim logged into their account, the trojans also stole cookies from the current authorization session. Those cookies were also sent to cybercriminals."