Google just got rid of a total of 63 apps from the official Play Store recently as they were discovered to be infected with a new kind of Android malware dubbed as “GhostTeam” which has the ability to steal Facebook credentials as well as bombard users with a bunch of ads on their infected devices.

This new Android malware was discovered by security teams of Trend Micro and Avast. According to the researchers, the malware has long been active in the Google Play Store but was just discovered as of late and reported to the Google team.

The technique used by GhostTeam is up to par with the latest distribution method which is currently in trend with most of the developers of Android malware.

When a user installs a clean app with legitimate features, that’s when the initial infections begin. The app is known as “dropper” and would connect to a remote Command and Control or C&C server at some point where it will download other malicious apps containing the real GhostTeam malware and install them into the infected device.

This second-stage app is mostly disguised as some kind of a system-level app where the attackers make use of fake security alerts that are displayed through the original app to trick users into installing the second app themselves and obtain administrative rights. And once it is able to gain admin access, the Android malware will show intrusive ads on the infected device primarily.

Another function of this Android malware is that it was found to be stealing Facebook credentials from the infected devices. What has security experts puzzled is that the method it uses in stealing Facebook credentials is quite unique as the malware does not use any fake login screens that are overlaid on top of the original Facebook app – instead, it steals data from the actual Facebook login page. So how exactly this malware does this? Well, it achieves this kind of ability by detecting when the user tries to open the real Facebook app and then open its real login page inside a native Android headless browser component just like WebChromeClient or WebView. And since these apps are portable browsers which developers can embed inside their apps which app developers have full control so there is no wonder that GhostTeam was able to steal Facebook credentials on top of displaying intrusive ads.

During the process of stealing Facebook details, the malware-laden apps load the real Facebook login page inside the aforementioned portable browsers and at the same time, it also loads malicious JavaScript code responsible in collecting a user’ login credentials on Facebook. Afterwards, the collected data will be sent to the malware’s remote server which is under GhostTeams control.

And since the login operations take place on the original Facebook login page and inside a legitimate Android component, mobile security apps weren’t able to detect that the Facebook credentials were being stolen.

According to Avast and Trend Micro, these malware-infested apps might be created by some Vietnamese threat actor as the apps have Vietnamese as the default language although they also offer English versions for users who do not speak Vietnamese. Even so, some of their descriptions in the Google Play Store were also in Vietnamese not to mention that these apps communicate to their command and control or C&C servers that are hosted using Vietnamese IP addresses – in spite of this, the leading countries that are infected with GhostTeam are India, Indonesia as well as Brazil. These three countries have over 60% of the infections.

“We’ve removed the apps from Play, disabled the developers’ accounts, and will continue to show strong warnings to anyone that has installed them,” stated a spokesperson from Google. “We appreciate Check Point’s work to help keep users safe.”

Security experts advised users to change their Facebook credentials immediately as well as enable the two-factor authentication if they find any of these apps on their Android devices.

According to Check Point, the apps listed below are the ones infected with GhostTeam:

1. Five Nights Survival Craft
2. Mcqueen Car Racing Game
3. Addon Pixelmon for MCPE
4. CoolCraft PE
5. Exploration Pro WorldCraft
6. Draw Kawaii
7. San Andreas City Craft
8. Subway Banana Run Surf
9. Exploration Lite: Wintercraft
10. Addon GTA for Minecraft PE
11. Addon Sponge Bob for MCPE
12. Drawing Lessons Angry Birds
13. Temple Crash Jungle Bandicoot
14. Drawing Lessons Lego Star Wars
15. Drawing Lessons Chibi
16. Girls Exploration Lite
17. Drawing Lessons Subway Surfers
18. Paw Puppy Run Subway Surf
19. Flash Slither Skin IO
20. Invisible Slither Skin IO
21. Drawing Lessons Lego Ninjago
22. Drawing Lessons Lego Chima
23. Temple Bandicoot Jungle Run
24. Blockcraft 3D
25. Jungle Survival Craft 1.0
26. Easy Draw Octonauts
27. halloweenskinsforminecraft
28. skinsyoutubersmineworld
29. youtubersskins
30. DiadelosMuertos
31. Draw X-Men
32. Moviesskinsforminecraft
33. Virtual Family – Baby Craft
34. Mine Craft Slither Skin IO
35. Guide Clash IO
36. Invisible Skin for Slither IO app
37. Zombie Island Craft Survival
38. HalloweenMakeUp
39. ThanksgivingDay
40. ThanksgivingDay2
41. Jurassic Survival Craft Game
42. Players Unknown Battle Ground
43. Subway Bendy Ink Machine Game
44. Shin Hero Boy Adventure Game
45. Temple Runner Castle Rush
46. Dragon Shell for Super Slither
47. Flash Skin for Slither IO app
48. AnimePictures
49. Pixel Survival – Zombie Apocalypse
50. Fire Skin for Slither IO app
51. San Andreas Gangster Crime
52. fidgetspinnerforminecraft
53. Stickman Fighter 2018
54. Subway Run Surf
55. Guide Vikings Hunters
56. Woody Pecker
57. Pack of Super Skins for Slither
58. Spinner Toy for Slither
59. How to Draw Coco and The Land of the Dead
60. How to Draw Dangerous Snakes and Lizards Species
61. How to Draw Real Monster Trucks and Cars
62. How to Draw Animal World of The Nut Job 2
63. How to Draw Batman Legends in Lego Style