April 15, 2022 0 1253

An Embedded Facestealer Android Trojan Application Steals 100 000+ Facebook Credentials on Google Play Store

Android users should avoid installing apps from unknown developers. Pradeo researchers recently discovered a security risk in the form of malicious "Facestealer" spyware named Craftsart Cartoon Photo Tool which was distributed on the Google Play Store that successfully targeted thousands of Android users.

The Facestealer, which connected automatically to a Russian server via social engineering, was used to steal Facebook credentials. With the spyware, the perpetrators gained complete control and accessed their victims' Facebook accounts. They had access to everything related to the accounts, including credit card information, conversations, searches, and so on. Check out the image below for a complete list of the information they had access to once they had full access.

Click here for more information on the information they had full access to and could download.
The good news is that Google removed the app from its store on March 22nd.

How They Fool Google and Users 

They slipped the malware into app stores as a mobile app distributed on Google Play and third-party app stores. They made the application mimic the behavior of well-known legitimate photo-editing applications to reach a large audience. With this strategy, they were able to conceal their illegal activities and deceive many users. As a result, they sneaked a small piece of code past the safeguards of app stores to carry out their plans.

Malware Collected Facebook Accounts Credentials

Immediately after users installed the application and opened it, a Facebook login page was displayed. Users were tricked into logging in to their Facebook accounts so they could use the application. If they did not log into their Facebook accounts, they could not use the application. However, immediately after they logged in, their information (username and password) was passed to the hackers. 

Users are tricked into logging into their Facebook accounts so they can use the application. If they do not log into their Facebook accounts, they will not be able to use the application. Immediately after they log in, their information (username and password) is passed to the hackers. 

Financial Fraud

Stolen Facebook credentials are used in a variety of ways, the most common of which are to send phishing links, spread fake news, and commit financial fraud. In this case, the cybercriminals had access to the victims' credit card information, making it very easy for them to steal their money.

Russian Registered Domain Connections

Craftsart Cartoon Photo Tools connected to a domain registered in Russia, which cyber security experts investigated and discovered had been used for 7 years on and off and was linked to multiple malicious mobile applications that were available on Google Play at one point but were later deleted. Cybercriminals keep repackaging mobile apps to deceive victims to maintain a presence on Google Play. Hackers frequently automate the repackaging process, making it very easy for them to return with new apps whenever their illegal apps are detected and removed from the Google Play Store.

How to Remove this Malicious App

The good news is that the app is one-of-a-kind; there is no other app with the same name in the Google Play Store. As a result, identifying and removing Craftsart Cartoon Photo Tools from your mobile devices is simple.

To remove Craftsart Cartoon Photo Tools from your Android device, go into Settings > Apps > App management, scroll down to Craftsart Cartoon Photo Tools, tap it, and tap Uninstall.

Go to Settings to check your phone for security updates. Settings > System > System update.

 

 

Install a good Android antivirus app to ensure that this does not happen again. You should also download your apps from Google Play because, while it is not completely safe, it is far safer than most unrecognized and illegal app stores where Craftsart Cartoon Photo Tools can still be found.

Head to Google Play Store to turn on Google Play Protect. Google Play Store > Profile > Play Protect > Settings > Turn on Scan apps with Play Protect.

Go to Settings to check your phone for security updates. Settings > System > System update.

Anytime you suspect you download a compromised app and delete it, a good precaution you should take is to change your social media (in this case Facebook) password. Also, log out from all devices your accounts might be logged on so you can automatically log out the criminals permanently.

Do not forget to do a security checkup on your device. Open a web browser on your phone and do a Google Security Checkup. Follow the steps to give your device more robust security settings.

Next, make sure you always read users' reviews before downloading apps.  Some users gave this app one-star reviews and warned others it was a terrible product and a scam. Below is a screenshot. 

Another tactic used by cybercriminals that we'd like to discuss in this article, as revealed by cyber security experts, is an Android attack known as Tapjacking.

Tapjacking

Tapjacking, as the name implies, is a combination of "tap" and "jacking." It means that someone has taken over what users tap on their phones and tablets. It is one of the most vicious Android hacks known, as it does not rely on special permissions, external tools, or libraries.

A humble toast message will appear on your screen as a nice, unnoticed ephemeral thing that will be gone by the time you notice it. Its typical application is to provide non-critical notifications to the user. The user is usually unaware of what has happened and does not interact with it (because there is no way he could), and there is no way to make the toast message stay indefinitely. It appears and then vanishes in an instant.

There is another trick used in conjunction with Tapjacking known as screen overlays.


Screen Overlays

A screen overlay is typically a component of an app that appears on top of other apps, such as the chat heads in Facebook Messenger. You may receive a screen overlay error if one app is blocking a portion of another app on your screen, which you can easily disable. For example, when you launch an app for the first time, you may be prompted to confirm granting it access to your phone's folders. A screen overlay is the dialog box that appears at that time, causing the rest of the screen to gray out while still allowing you to see what's underneath. Screen overlays are unquestionably a useful feature. In fact, they are responsible for the floating chat bubbles used by Facebook Messenger. 

The irony of the situation is that cybercriminals use this feature to deceive mobile device users.

Tapjacking Is Caused by Screen Overlays

The most important aspect of the entire concept is that no screen overlay should be active while you are in the process of granting critical permission to an app. We say "should not" because the actual implementation of this security concept is seriously flawed. When enabled, this security feature prevents you from interacting with the underlying UI if an overlay is active.

Why is this the case? This is because an active screen overlay can detect taps and intercept any information being passed to the underlying activity, such as passwords, credit card information, and other sensitive information This is terrifying.

How an Attacker Creates a Sneaky Overlay

This is where toast comes back into play, and when it comes to toast, most developers envision a tiny, short-lived popup. However, a toast can be made larger to include content such as an image. How long will it live? A skilled hacker can create the illusion of permanence by utilizing the built-in Android Timer. When the timer expires, the toast is redrawn on the screen, which is a perfectly and cleverly done job. As a result, a toast can be used for a variety of purposes, ranging from listening to taps to displaying false password inputs to users.

Tapjacking should be obvious by now that it is a near-impossible exploit to stop because it is not obtrusive.|

How to Prevent Android Tapjacking

Tapjacking is simple to avoid if you look closely. Everything is fine in app land as long as your Android does not allow activities to gather input while an overlay is active. Unfortunately, in Android 4.0.3 and earlier, this security setting was disabled by default, making those versions the most infamous in Android history. The gap was eventually filled, and everyone was satisfied with Android 6's security model. However, for unknown reasons, Google developers decided to disable this setting again in version 6.0.1, resulting in several cases of compromised user data. One reason appears to be that Google believed users preferred convenience over the annoyance of constantly setting permissions, but the cost of negligence has been too high.

Android 12 allows developers to close TYPE_APPLICATION_OVERLAY type of windows to increase security. After the HIDE_OVERLAY_WINDOWS permission is declared, when the sensitive screen is opened, the overlay windows will be closed with the following code snippet:

What Should You Do?

Users should simply navigate to the section of their settings that deals with overlay screens. It should either be called "Apps that can appear on top" or "Apps that can draw over other apps." If you're still unsure, a quick Google search for your phone's make and model will reveal the correct setting.
Developers should empathize with users' plight and include the following items on the pre-release checklist: make certain that the setting is filterTouchesWhenObscured is set to true, or that the method onFilterTouchEventForSecurity() is implemented in apps.

Conclusion 

Facestealers can be easily avoided if users take the time to read reviews before downloading apps from the Play Store or the Apple Store. Do not be too eager to download any app without first checking reviews and then double-checking again. Prevention is preferable to cure.

Also, if you are not a security developer with extensive experience, avoid downloading new apps. Allow many users to first leave reviews that you can read to make a wise decision. Be aware that some cybercriminals use fake reviews to deceive users, and you can easily detect such a trick only if you are patient enough to read the reviews thoroughly.

We'd like to point out that understanding and preventing tapjacking isn't rocket science. Tapjacking's success is based on Google's and app developers' laziness, as well as users' lack of awareness. You can easily avoid this loophole now that you're aware of it.

How do you like the article?