SafeUM
Home Blog Services Download Help About Recharge
EN
RU

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
EN
Lang
EN
RU
Archive
TOP Security!
19 Jan 2018

This Android malware wants to steal your Facebook login and bombard you with ads

Malware which aims to steal Facebook login credentials and also aggressively displays pop-up adverts has been uncovered targeting Android users via the Google Play store -- and may have been downloaded by hundreds of thousands of unwitting victims.

Dubbed GhostTeam after strings in the code by the analysts at security company Trend Micro which uncovered it, the malware was first published in April 2017 and was disguised in the official Android marketplace as utility apps, performance boosters, and social media video downloaders.

A total of 53 applications have been identified as distributors of GhostTeam malware and, while there's no exact figure on how many people have inadvertently compromised their device, one malicious app -- advertised as a means of downloading videos from Facebook -- has been downloaded between 100,000 and 500,000 times.

While it's not clear why the attackers are going after Facebook accounts, researchers suggest that they could be used for anything from distributing additional malware, to mining cryptocurrency, to using the social media platform to spread fake news.

After being downloaded, GhostTeam firsts checks to ensure the phone isn't running in an emulator or virtual environment -- a strategy likely employed by its developers to ensure their malware code is difficult to examine.

Once it's been verified that the GhostTeam download has been made to a regular Android device, the payload is dropped, disguised as 'Google Play Services' making a false claim about needing to verify an app.

After this, if the user opens Google Play or Facebook, they are asked to install the fake version of Google Play Services, which then asks for administrative privileges, giving GhostTeam control of the device.

When the infected user next opens their Facebook app, they're asked to verify their account using what looks like the standard login procedure. However, behind the scenes, malicious code is injected into a WebView client, allowing for the theft of the email address and password entered, with the data sent to a command and control server.

If no two-factor authentication is applied, this puts the Facebook account into the hands of the attackers to use as they see fit. While campaigns using the stolen credentials have yet to be seen in the wild, "it's not far-fetched to think they would," said Kevin Sun, mobile threat analyst at Trend Micro.

In addition to stealing Facebook credentials, GhostTeam also aggressively pushes full-screen pop-up ads to the victim -- most likely as a means of generating revenue from clicks. In order to push the highest number of adverts possible, it displays full-screen ads on the homescreen when the user is interacting with the device. It also keeps the device awake by showing adverts in the background.

The highest percentage of GhostTeam's victims are in India, which recently overtook the US as the country with the most Facebook users. That provides the attackers with a large base of potential victims to steal accounts from. A significant number of infections have also been uncovered in Indonesia, Brazil, Vietnam, Australia, and the Philippines.

Researchers suggest the malicious apps could be the product of cybercriminals in Vietnam, because of "considerable use" of Vietnamese language in the code. Within Vietnam, the default language of the malicious apps is set to Vietnamese, while outside of Vietnam it reverts to English.

Trend Micro disclosed the findings to Google and all of the malicious GhostTeam apps have now been removed from the Google Play store. Experts contacted Google for a statement, but hadn't received a response at the time of publication.

Facebook has also been made aware of the account stealing malware. "We are blocking the distribution of these apps where we can and we have systems to help detect compromised accounts and credentials," said a Facebook spokesperson.

Users can try to avoid being infected by Android malware by keeping their device patched and up to date, and by checking the authenticity and reviews of apps before downloading them.

Those who fear their device has been compromised by GhostTeam can mitigate it by disabling the device administrator features -- and should be move to change their Facebook login credentials in order to prevent attackers from having continued access to their account.

Tags:
Facebook Android information leaks GhostTeam
Source:
ZDNet
1493
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015