Google has been Always Preventing us From the Applications which Steal our data and breaks our Privacy. Last year, Google has made Several efforts to remove malicious apps and Password Stealing Apps from The Play Store but still, some malicious apps managed to take their place in the Play store.
Security researchers have found a malware which was designed in Order to Steal your Facebook Credentials and Displaying Aggressively Pop-up ads in 56 Apps, dubbed GhostTeam.
Discovered independently by two cybersecurity firms, Trend Micro and Avast, the malicious apps disguise as various utility (such as the flashlight, QR code scanner, and compass), performance-boosting (like file-transfer and cleaner), entertainment, lifestyle and video downloader apps.
To Complete the Stealing of your Facebook Credentials the app performs Social Engineering tactics.
Like Most of The Password Stealing Apps or Malicious Apps, this application also doesn’t contain any malicious code in themselves and that’s How they Passed Google security check. What they do is, They download the payload according to your device and do Social engineering attacks to Make you share your credentials through the Phishing page.
The only negative thing the apps do is aggressively show ads. There is a catch though, the apps can download pieces of code to use at runtime or can even download other apps to the device. They request for the malicious code from their available servers and server send them the code. The Package Downloaded is malicious and If removed manually then, it can be downloaded again and even can be replaced.
HOW THEY STEAL CREDENTIALS?
As soon as the user opens their Application they trick them by asking for re-verification by logging into their Facebook Account. Instead of exploiting any system vulnerabilities, They use a simple Phishing page to complete the attack. These fake apps simply launch a component for Webview, With Facebook’s fake login Page and ask the user to log in.
The user credentials entered are then sent to the Remote Controlled Attacker’s server.