The apps tricked users by loading the Facebook sign-in page and redirecting it to a command and control server, which loaded JavaScript that then “hijacked” usernames and passwords and passed them to the app, thus the command server. To complete their goal, they would also swipe some cookies from the authorisation session. While Facebook was the only target, in each case, the perpetrators could have easily redirected users toward alternative internet services. It was discovered that while there were five malware variants, they all used the same JavaScript code and configuration file formats to steal the information.
In response to an inquiry from Ars, Google stated that it had banned the offending developers from the store, though this may not pose much of a barrier for the perpetrators, as they can easily set up new developer accounts. To that end, it is possible that Google will have to screen for the malware itself in order to keep the scammers out. Of course, the bigger question is how the apps ended up with so many downloads before they were removed. Thanks to the artificial intelligence and machine learning that Google has employed, the majority of malware online do not slip into the Play Store, but the finer points of the technique may have allowed certain rogue apps to bypass these parameters and allow their victims to remain unaware that their Facebook data had been compromised.
The damage this time isn’t so bad compared to when Google discovered that Camscanner, a popular app that had been downloaded over 100 million times, was riddled with malware. On another note, Google Play’s AI detected one million apps that violated the platform’s policies last year. Regardless of the underlying cause, it bears repeating that it’s important to be cautious about downloading apps from unknown developers, no matter how popular they appear to be. (Sources: Engadget, Slash Gear // Image: portal gda / Flickr)