9 Play Store Apps Stole Users’ Facebook Passwords

0
Google Play app store
The Google Play app store for Android. Image credit: ymgerman/Bigstock.com

Now removed by Google, there were 9 apps in the Google Play app store that stole users’ Facebook passwords. The apps were downloaded more than 5.8 million times and were called:

  • Rubbish Cleaner.
  • Inwell Fitness.
  • Horoscope Daily.
  • App Lock Keep.
  • Lockit Master.
  • Horoscope Pi.
  • App Lock Manager.

A clear trend here is apps that require accessibility or administrator privileges on your device. All ‘app locking’ and apps that scan your entire device require deep privileges that make it easy for them to snatch your passwords. For example: Locker apps can see what’s on your screen because they require accessibility permissions that provide them with access to your screen, and may have key loggers built in as well (these can steal your passwords). The same applies to antivirus apps, for which there were similar outbreaks. This means that anything that claims to lock other apps or scan your device requires additional due diligence. You should research them carefully. Never give apps accessibility or administrative privileges.

I’d recommend reading Kompulsa’s guide to Android permissions and which ones provide apps with the ability to harm your device.

Horoscope apps, on the other hand are likely to ask you for a great deal of personal information, or obtain that information from your Facebook account after coercing you into providing access to it. Also be wary of the risk of key logging (which case could result in password stealing) if an app brings up a form asking you to type in your Facebook credentials. Never enter your credentials in windows that are popped up by third parties. I understand that some websites may do this legitimately (for example: popping up a PayPal window if you’re buying something from them), but don’t enter them if you don’t trust the app or website.

The 9 apps mentioned above stole users passwords by loading Facebook’s login page, stealing session cookies, and they used JavaScript code to steal login credentials.