An Android application installed on the Google Play Store is presented as a photo editing application. But, it contains code that steals the user’s Facebook credentials to potentially run ad campaigns on the user’s behalf, along with their payment information.
The application is called “Blender Photo Editor-Easy Photo Background Editor” and has been installed over 5,000 times so far.
Last week, similar malicious apps with over 500,000 installations were also found on the Play Store.
“Login” with Facebook does more than just log in
Like many Android apps, “Blender Photo Editor-Easy Photo Background Editor” app comes with connection with Facebook functionality. Except that it also uses your Facebook credentials to do shady stuff.
Tatiana Shishkova, an Android malware analyst at Kaspersky, this week discovered the “trojan” application which is still available on the Google Play Store at the time of writing.
The app contains malicious code, identical to what was found in similar “photo editor” apps last week by Maxime Ingrao, security researcher at the mobile payments cybersecurity company Evina.
The apps then ask the Facebook Graph API to visit the user’s Facebook account and find the stored ad campaigns and payment information.
The malware, according to Ingrao, “is very interested in what advertising campaigns you may have done and whether you have a registered credit card.” This would allow the attacker behind these apps to create their own ad campaigns through the user’s Facebook credentials and related payment information.
Identical applications installed more than 500,000 times
Ingrao had previously discovered similar malicious applications called “Magic Photo Lab – Photo Editor” and “Pix Photo Motion Edit 2021”, the latter of which recorded more than 500,000 installations.
Both apps have since been removed from the Google Play Store.
The researcher shared some information with TechToSee on how he discovered something was wrong with these apps.
“I first noticed the suspicious code while performing a dynamic scan,” Ingrao told TechToSee in an email interview.
TechToSee has also scanned the APK for “Blender Photo Editor-Easy Photo Background Editor”, which is still live on Google Play, and can confirm that it has seen identical malicious code in the app.
During our analysis, we attempted to roughly reconstruct the Java source code of the Android application from the compiled APK (bytecode).
The suspect class “sources / com / easyblender / blendphoto / Blends / ext / AnaActivity.java” contains the WebView referenced by Ingrao. Additionally, we noticed some partial strings, such as “m.face” and “mf” referring to m.facebook.com and m.fb.com areas.
And this is when the aforementioned requests to Facebook’s API Graph are made, to take a look at all the Facebook ad campaigns present in the user’s account, along with the information of the user. associated payment:
Android users should beware of these recently seen “photo editing” apps on the Google Play Store. Those who have already installed such an app should uninstall it immediately, clean their smartphone and reset their Facebook credentials.
TechToSee reported the aforementioned Blender photo editor app to Google Play before it was released.
- Apple defends ban on apps outside the App Store, detailing Android malware issues
- State-sponsored attackers infiltrate Play Store with fake VPN app
- Android malware attacks on the rise, Google’s operating system is more “interesting” to the average cybercriminal than iOS
- The best free Android apps of 2021: the best apps from the Google Play Store
- New Android Trojan malware has infected more than 10 million Android devices