Google just removed 25 Android malicious apps that would steal Facebook login credentials, but before that, their total downloads have exceeded 2.34 million times. The French network security company Evina analyzed and found that although they provide different functions, this malware is behind the same master, and they all work on the same principle.
It is reported that this batch of Android malware packaged itself as a pedometer, image editor, video editor, wallpaper, flashlight, file manager, and mobile game.
However, Evina researchers pointed out that while providing regular functions, they also conceal malicious code. For example, detect which apps the user has recently opened, and keep the foreground running.
Taking the Facebook official app as an example, the malware will overwrite a web browser window on top of the on-track program and load a fake Facebook login page to deceive the user’s login credentials.
The information entered by the phishing page will be passed to the remote server airship.PW by malware (now disabled).
Evina added that it had reported to Google at the end of May 25 pieces of malware that had stolen Facebook login credentials.
Google conducted an investigation and verification earlier in June, and then quickly removed it. Even so, some Android malicious apps have remained in the official Play store for more than a year
