A new Android malware strain has been discovered that can phish Facebook credentials of users and use it to log into accounts to steal account information as well as search and collect the results using Facebook’s search functionality.
The new malware strain is dubbed as “Fakeapp” which was detected earlier this month by the researchers from Symantec. According to Symantec, the app, at the time of writing, is being distributed inside malicious apps that are made available to English-speaking users on third-party app stores online. Though it mainly targets English-speaking users, this malware has actually affected quite a number of users from the Asia-Pacific region which suggests that the third party app stores might have a local Asian audience as well.
During the malware’s infiltration in an Android device, it will hide immediately from the home screen of the device but it will launch a service that runs in the background of the device. This service will be the one to start a spoofed Facebook login user interface that will steal a user’s Facebook credentials. Fakeapp displays this fake login screen from time to time until a user will key in their Facebook username and password.
This Facebook credential-stealing malware is different from the other ones that had become before it in a way that not only it sends the Facebook credentials it has gathered into the attacker’s server but it will also use the credentials right away on the infected device.
During its attack, Fakeapp will start a WebView window which is a stripped down mobile browser app and use it almost entirely transparent with a window alpha-transparency value of 0.01f which is near 0. After that, the malware will load the login page of Facebook and access the user’s account immediately. Symantec did not really explain why the malware is in such a rush in using these credentials but it is believed that the attackers are avoiding Facebook’s security measures that warn users when someone is attempting to access their account using a new IP address to prevent their attack from being interrupted. And since the attackers use the very same device in logging into the account, the attack remains undetected.
Once the malware is able to grab a hold of the Facebook account, it will collect the user’s account information such as education, work, contacts, bio, family, groups, events, posts, pages, and so on. So as you can see, it isn’t as harsh as other malware that will like a Facebook content and post spam.
“The functionality that crawls the Facebook page has a surprising level of sophistication,” the two researchers from Symantec, Martin Zhang and Shaun Aimoto stated after having analyzed Fakeapp.
“The crawler has the ability to use the search functionality on Facebook and collect the results. Additionally, to harvest information that is shown using dynamic web techniques, the crawler will scroll the page and pull content via Ajax calls,” the researchers added.
Based on these statements, it is easy to tell that this kind of behavior shown by this malware has never been analyzed before. In addition, it is also bizarre that it does not execute any kind of operation where it will earn money. This leads to a notion that Fakeapp might be a spyware created to build the database of users in order to conceivably categorize persons of high interest and so on.