Facestealer, first documented by Doctor Web in July 2021, refers to a group of fraudulent apps that invade the official app marketplace for Android with the goal of plundering sensitive data such as Facebook login credentials. Of the 200 apps, 42 are VPN services, followed by a camera (20) and photo editing applications (13). In addition to harvesting credentials, the apps are also designed to collect Facebook cookies and personally identifiable information associated with a victim’s account.
More than 200 Android applications posing as fitness, picture editing, and puzzle apps have been spotted delivering Facestealer malware designed to steal user passwords and other sensitive information. Facestealer, like Joker, another type of mobile malware, alters its code regularly, generating several variations, according to Trend Micro experts Cifer Fang, Ford Quin, and Zhengyu Dong in a recent paper. “Since its detection, the malware has relentlessly harassed Google Play.”
Additionally, Trend Micro disclosed that it uncovered over 40 rogue cryptocurrency miner apps that target users interested in virtual coins with malware designed to trick users into watching ads and paying for subscription services. Some of the fake crypto apps, such as Cryptomining Farm Your own Coin, take it one step further by also attempting to steal private keys and mnemonic phrases (or seed phrases) that are used to recover access to a cryptocurrency wallet.
On top of that, the research also shows that PHAs linger for a much longer period on average when users switch devices and automatically install the apps when restoring from a backup. As many as 14,000 PHAs are said to have been transferred to 35,500 new Samsung devices by using the Samsung Smart Switch mobile app, with the apps lasting on the phones for a period of approximately 93 days. “The Android security model severely limits what mobile security products can do when detecting a malicious app, allowing PHAs to persist for many days on victim devices,” the academics said. “The current warning system employed by mobile security programs is not effective in convincing users to promptly uninstall PHAs.”
To avoid falling victim to such scam apps, it’s recommended that users check negative reviews, verify the legitimacy of the developers, and avoid downloading apps from third-party app stores. New study analyzes malicious Android apps installed in the wild. The findings come as researchers from NortonLifeLock and Boston University published what they called the “largest on-device study” of potentially harmful apps (PHAs) on Android-based on 8.8 million PHAs installed on over 11.7 million devices between 2019 and 2020. “PHAs persist on Google Play for 77 days on average and 34 days on third-party marketplaces,” the study noted, pointing out the delay between when PHAs are identified and when they are removed, adding 3,553 apps exhibited inter-market migration after being taken down.