Malware which aims to steal Facebook login credentials and also aggressively displays pop-up adverts has been uncovered targeting Android users via the Google Play store -- and may have been downloaded by hundreds of thousands of unwitting victims.
Dubbed GhostTeam after strings in the code by the analysts at security company Trend Micro which uncovered it, the malware was first published in April 2017 and was disguised in the official Android marketplace as utility apps, performance boosters, and social media video downloaders.
A total of 53 applications have been identified as distributors of GhostTeam malware and, while there's no exact figure on how many people have inadvertently compromised their device, one malicious app -- advertised as a means of downloading videos from Facebook -- has been downloaded between 100,000 and 500,000 times.
While it's not clear why the attackers are going after Facebook accounts, researchers suggest that they could be used for anything from distributing additional malware, to mining cryptocurrency, to using the social media platform to spread fake news.
After being downloaded, GhostTeam firsts checks to ensure the phone isn't running in an emulator or virtual environment -- a strategy likely employed by its developers to ensure their malware code is difficult to examine.
Once it's been verified that the GhostTeam download has been made to a regular Android device, the payload is dropped, disguised as 'Google Play Services' making a false claim about needing to verify an app.
After this, if the user opens Google Play or Facebook, they are asked to install the fake version of Google Play Services, which then asks for administrative privileges, giving GhostTeam control of the device.
When the infected user next opens their Facebook app, they're asked to verify their account using what looks like the standard login procedure. However, behind the scenes, malicious code is injected into a WebView client, allowing for the theft of the email address and password entered, with the data sent to a command and control server.
If no two-factor authentication is applied, this puts the Facebook account into the hands of the attackers to use as they see fit. While campaigns using the stolen credentials have yet to be seen in the wild, "it's not far-fetched to think they would," said Kevin Sun, mobile threat analyst at Trend Micro.
In addition to stealing Facebook credentials, GhostTeam also aggressively pushes full-screen pop-up ads to the victim -- most likely as a means of generating revenue from clicks. In order to push the highest number of adverts possible, it displays full-screen ads on the homescreen when the user is interacting with the device. It also keeps the device awake by showing adverts in the background.
The highest percentage of GhostTeam's victims are in India, which recently overtook the US as the country with the most Facebook users. That provides the attackers with a large base of potential victims to steal accounts from. A significant number of infections have also been uncovered in Indonesia, Brazil, Vietnam, Australia, and the Philippines.
Researchers suggest the malicious apps could be the product of cybercriminals in Vietnam, because of "considerable use" of Vietnamese language in the code. Within Vietnam, the default language of the malicious apps is set to Vietnamese, while outside of Vietnam it reverts to English.
Trend Micro disclosed the findings to Google and all of the malicious GhostTeam apps have now been removed from the Google Play store. Experts contacted Google for a statement, but hadn't received a response at the time of publication.
Facebook has also been made aware of the account stealing malware. "We are blocking the distribution of these apps where we can and we have systems to help detect compromised accounts and credentials," said a Facebook spokesperson.
Users can try to avoid being infected by Android malware by keeping their device patched and up to date, and by checking the authenticity and reviews of apps before downloading them.
Those who fear their device has been compromised by GhostTeam can mitigate it by disabling the device administrator features -- and should be move to change their Facebook login credentials in order to prevent attackers from having continued access to their account.
110 Reykjavik, Iceland