Google just got rid of a total of 63 apps from the official Play Store recently as they were discovered to be infected with a new kind of Android malware dubbed as “GhostTeam” which has the ability to steal Facebook credentials as well as bombard users with a bunch of ads on their infected devices.
This new Android malware was discovered by security teams of Trend Micro and Avast. According to the researchers, the malware has long been active in the Google Play Store but was just discovered as of late and reported to the Google team.
The technique used by GhostTeam is up to par with the latest distribution method which is currently in trend with most of the developers of Android malware.
When a user installs a clean app with legitimate features, that’s when the initial infections begin. The app is known as “dropper” and would connect to a remote Command and Control or C&C server at some point where it will download other malicious apps containing the real GhostTeam malware and install them into the infected device.
This second-stage app is mostly disguised as some kind of a system-level app where the attackers make use of fake security alerts that are displayed through the original app to trick users into installing the second app themselves and obtain administrative rights. And once it is able to gain admin access, the Android malware will show intrusive ads on the infected device primarily.
Another function of this Android malware is that it was found to be stealing Facebook credentials from the infected devices. What has security experts puzzled is that the method it uses in stealing Facebook credentials is quite unique as the malware does not use any fake login screens that are overlaid on top of the original Facebook app – instead, it steals data from the actual Facebook login page. So how exactly this malware does this? Well, it achieves this kind of ability by detecting when the user tries to open the real Facebook app and then open its real login page inside a native Android headless browser component just like WebChromeClient or WebView. And since these apps are portable browsers which developers can embed inside their apps which app developers have full control so there is no wonder that GhostTeam was able to steal Facebook credentials on top of displaying intrusive ads.
And since the login operations take place on the original Facebook login page and inside a legitimate Android component, mobile security apps weren’t able to detect that the Facebook credentials were being stolen.
According to Avast and Trend Micro, these malware-infested apps might be created by some Vietnamese threat actor as the apps have Vietnamese as the default language although they also offer English versions for users who do not speak Vietnamese. Even so, some of their descriptions in the Google Play Store were also in Vietnamese not to mention that these apps communicate to their command and control or C&C servers that are hosted using Vietnamese IP addresses – in spite of this, the leading countries that are infected with GhostTeam are India, Indonesia as well as Brazil. These three countries have over 60% of the infections.
“We’ve removed the apps from Play, disabled the developers’ accounts, and will continue to show strong warnings to anyone that has installed them,” stated a spokesperson from Google. “We appreciate Check Point’s work to help keep users safe.”
Security experts advised users to change their Facebook credentials immediately as well as enable the two-factor authentication if they find any of these apps on their Android devices.
According to Check Point, the apps listed below are the ones infected with GhostTeam:
- Five Nights Survival Craft
- Mcqueen Car Racing Game
- Addon Pixelmon for MCPE
- CoolCraft PE
- Exploration Pro WorldCraft
- Draw Kawaii
- San Andreas City Craft
- Subway Banana Run Surf
- Exploration Lite: Wintercraft
- Addon GTA for Minecraft PE
- Addon Sponge Bob for MCPE
- Drawing Lessons Angry Birds
- Temple Crash Jungle Bandicoot
- Drawing Lessons Lego Star Wars
- Drawing Lessons Chibi
- Girls Exploration Lite
- Drawing Lessons Subway Surfers
- Paw Puppy Run Subway Surf
- Flash Slither Skin IO
- Invisible Slither Skin IO
- Drawing Lessons Lego Ninjago
- Drawing Lessons Lego Chima
- Temple Bandicoot Jungle Run
- Blockcraft 3D
- Jungle Survival Craft 1.0
- Easy Draw Octonauts
- Draw X-Men
- Virtual Family – Baby Craft
- Mine Craft Slither Skin IO
- Guide Clash IO
- Invisible Skin for Slither IO app
- Zombie Island Craft Survival
- Jurassic Survival Craft Game
- Players Unknown Battle Ground
- Subway Bendy Ink Machine Game
- Shin Hero Boy Adventure Game
- Temple Runner Castle Rush
- Dragon Shell for Super Slither
- Flash Skin for Slither IO app
- Pixel Survival – Zombie Apocalypse
- Fire Skin for Slither IO app
- San Andreas Gangster Crime
- Stickman Fighter 2018
- Subway Run Surf
- Guide Vikings Hunters
- Woody Pecker
- Pack of Super Skins for Slither
- Spinner Toy for Slither
- How to Draw Coco and The Land of the Dead
- How to Draw Dangerous Snakes and Lizards Species
- How to Draw Real Monster Trucks and Cars
- How to Draw Animal World of The Nut Job 2
- How to Draw Batman Legends in Lego Style