Facebook Malware Gets 100,000 Downloads

Dark Web Hackers Steal Facebook’s Credentials

100,000 downloads of a Facebook credentials stealer App is still downloadable on the Google Play Store. The newly discovered malicious Android app was reported by cybersecurity analysts at the Pradeo security firm. Analysts tracking the App stated that it’s an old Trojan malware repackaged to wreak havoc on followers of the social media platform.

The App steals Facebook credentials when unsuspecting users download the app; it allows them to upload pictures and create cartoon like images. Discovered on the Google Play Store as ‘Craftsart Cartoon Photo Tools, the dangerous App is rendered in the form of a cartoonifier that can easily convert an image into a cute cartoon character.

And while the malware disguised as a useful App remains accessible for download, Pradeo’s researcher have been busy analyizing the Android malware . The cyber security company revealed that the disguised cartoonifier App is injected with a Trojan, which operates as a credentials stealer.

Malicious FaceStealer Android Apps

The ‘Craftsart Cartoon Photo Tools,’ that easily allows users to convert uploaded images is a part of a group of Trojans that are actually disguised ‘FaceStealer,’ Apps. When utilized the malicious trojan reverts to a Facebook login screen, that prompts users to log into their Facebook accounts to be able to use the cartoon rendering App.

Security researchers at Jamf also outlined how the FaceStealer Trojan app further compromises and steals Facebook users secured credentials. According to Jamf researcher Michal Rajčan, the malicious App redirects users that have entered their credentials to a control server, the app then offer command prompts to zutuu[.]info [VirusTotal].

And once the Facebook users are redirected to the fake server created by the dark web hackers, they then easily collects private data from the duped social media followers.

In addition, the hackers after collecting private data information can then force the unsuspecting Facebook users to connect to other fake themed urls www.dozenorms[.]club URL [VirusTotal]. With the information already stolen by the previous C2 server, the malicious Trojan App continues its infectious rampage where more private data captured on the network systems of the dark web hacking group.

Trojan Malware Resurfaced

According to Pradeo’s report, the malicious App had surfaced before as a promoter for previously discovered FaceStealer Android Trojans. The researchers also pointed out that the creator of the App had injected a malicious code into a legitimate App to revamp an old malware.

Reportedly, the automated and repackaged App filled with the malicious code legitimately fooled Google Play Store administrators, and allowed it to sail through the vetting process, thus avoiding it being flagged and removed from the popular App download platform.

With limited functionality available at download, to use the App, a user has to log into a Facebook account. However, after logging into the social media platform, the App’s limited functionality redirects to a specified image of this fake online editor, http://color.photofuneditor.com/.

The uploaded image will now boast a virus infected graphics filter, which can be downloaded and sent to friends and families, who then can spread the malicious Trojan to other Facebook followers’ Android devices.

Social media followers are being warned that when biometric and other private data are stolen by dark web hackers, they are usually stored for indefinite periods, and are oftentimes shared and resold on dark web marketplaces.