In a new identified scam detected by Symantec, a malicious app dubbed ‘Android.Fakeapp’, involves a new malware strain that is phishing for Facebook login credentials directly from the targeted devices.
Named Fakeapp, this new malware strain was detected earlier this month by Symantec researchers. Symantec says the app is currently distributed inside malicious apps made available to English-speaking users on third-party app stores.
Despite targeting the English-speaking audience, Symantec researchers say most victims are from the Asia-Pacific region, suggesting the third-party app stores have a local Asian audience only.
Once the Facebook user credentials are obtained, the malware logs into the account and collects account information and results using the Facebook mobile app’s search functionality.
Once installed, the apps infected with the Fakeapp malware will immediately hide from the phone’s home screen, leaving only a service running in the background. The malware acts step-by-step since its installation to steal details from a Facebook user’s account:
- It checks for a target Facebook account by submitting the International Mobile Equipment Identity (IMEI) to the command and control (C&C) server.
- If no account can be collected, it verifies that the app is installed on the device.
- It then launches a spoofed Facebook login user interface (UI) to steal user credentials.
- It periodically displays this login UI until credentials are successfully collected.
Besides sending the collected Facebook login credentials to the attacker’s server, the Fakeapp malware also immediately uses the login details to login into the compromised Facebook account.
Once the malware is logged into the Facebook page, it can collect wide variety of information on education, work, contacts, bio, family, relationships, events, groups, likes, posts, pages, and so on.
Martin Zhang and Shaun Aimoto, the two Symantec researchers who analyzed Fakeapp say,
“The functionality that crawls the Facebook page has a surprising level of sophistication,” .
“The crawler has the ability to use the search functionality on Facebook and collect the results. Additionally, to harvest information that is shown using dynamic web techniques, the crawler will scroll the page and pull content via Ajax calls,”
In order to stay safe, Facebook users are recommended to keep your software up to date, refrain from downloading apps from unfamiliar sites and only install apps from trusted sources. In addition, users should pay close attention to the permissions requested by apps and make frequent backups of important data.
