A new malware has been discovered in 53 different apps on Google Play, that could steal Facebook credentials and push ads to infected devices. Exposed by security researchers at Trend Micro as ANDROIDOS_GHOSTTEAM, the malware was present in many apps, created as early as April 2017.
These Android apps were published in Play Store as utility apps (flashlight, QR code scanner, compass), video downloaders for social media, and performance boosters (file transfer, cleaner). One of the app was downloaded over 100,000 times, and seemed to have infected thousands of users.
Trend Micro found that samples of some of these apps were in Vietnamese language, indicating that the apps were developed in Asia. The configurations of GhostTeam were in English and Vietnamese, and if the geolocation of the user was outside Vietnam, English will be the default language.
The malware was primarily affecting Android users in India, Indonesia, Brazil, Vietnam, and Philippines. It was rapidly spreading via different forms and reached US-based customers as well.
No cybercriminal activity was reported by the Facebook users as a result of stolen credentials. However, the hackers can use them to deliver more damaging malware, and form an army of malicious actors on social media, which can promote fake news and cryptocurrency mining.
When the app is installed, the malware retrieves the payload and asks the user to verify an app pretending to be “Google Play Services”. In case the user verifies it, the malware pops up a notification to install fake Google Play Services, which then asks for administrative privileges. This gives the control of the device to GhostTeam, resulting in pushing up background ads by stealing Facebook credentials. Trend Micro believes that hackers earn money from GhostTeam ads.
Google removed all the malicious apps from Play Store when Trend Micro informed the search giant about GhostTeam malware. Google Play Protect has also been updated to prevent the publication of such apps on Play Store in future.
“We are blocking the distribution of these apps where we can and we have systems to help detect compromised accounts and credentials,” Facebook said in a statement to Trend Micro.
Users should read the reviews before installing an app, because it’s not the first time that some malware has been found in Android apps. In October last year, a malicious cryptocurrency miner was found on Google Play Store which reduced battery life, increased device wear and tear, and slowed down the device performance.