Home » Android photo editor app ALWAYS on Google Play Store is malware

Android photo editor app ALWAYS on Google Play Store is malware


An Android application installed on the Google Play Store is presented as a photo editing application. But, it contains code that steals the user’s Facebook credentials to potentially run ad campaigns on the user’s behalf, along with their payment information.

The application is called “Blender Photo Editor-Easy Photo Background Editor” and has been installed over 5,000 times so far.

Last week, similar malicious apps with over 500,000 installations were also found on the Play Store.

“Login” with Facebook does more than just log in

Like many Android apps, “Blender Photo Editor-Easy Photo Background Editor” app comes with connection with Facebook functionality. Except that it also uses your Facebook credentials to do shady stuff.

Tatiana Shishkova, an Android malware analyst at Kaspersky, this week discovered the “trojan” application which is still available on the Google Play Store at the time of writing.

Android app malicious photo editor
Android photo editing app still on the Google Play Store (Sound computer)

The app contains malicious code, identical to what was found in similar “photo editor” apps last week by Maxime Ingrao, security researcher at the mobile payments cybersecurity company Evina.

These Android apps require Android users to log in through their Facebook account to access the app and then silently collect credentials through encrypted JavaScript commands hidden within the app.

The apps then ask the Facebook Graph API to visit the user’s Facebook account and find the stored ad campaigns and payment information.

The malware, according to Ingrao, “is very interested in what advertising campaigns you may have done and whether you have a registered credit card.” This would allow the attacker behind these apps to create their own ad campaigns through the user’s Facebook credentials and related payment information.

Identical applications installed more than 500,000 times

Ingrao had previously discovered similar malicious applications called “Magic Photo Lab – Photo Editor” and “Pix Photo Motion Edit 2021”, the latter of which recorded more than 500,000 installations.

Both apps have since been removed from the Google Play Store.

Malicious Android apps with over 500,000 downloads from Google Play Store
Malicious Android apps with over 500,000 downloads from Google Play Store (Sound computer)

The researcher shared some information with TechToSee on how he discovered something was wrong with these apps.

“I first noticed the suspicious code while performing a dynamic scan,” Ingrao told TechToSee in an email interview.

“I noticed that WebView was running JavaScript to retrieve the credentials. Then I uploaded the code and re-encoded the function that decrypts the texts inside the code, this is how I do it. found the JavaScript executed and the calls to the Facebook Graph API, “continued the French security researcher.

TechToSee has also scanned the APK for “Blender Photo Editor-Easy Photo Background Editor”, which is still live on Google Play, and can confirm that it has seen identical malicious code in the app.

During our analysis, we attempted to roughly reconstruct the Java source code of the Android application from the compiled APK (bytecode).

The suspect class “sources / com / easyblender / blendphoto / Blends / ext / AnaActivity.java” contains the WebView referenced by Ingrao. Additionally, we noticed some partial strings, such as “m.face” and “mf” referring to m.facebook.com and m.fb.com areas.

The obfuscated code, in various places, contains strings encrypted with JavaScript code that are only decrypted while the application is running. The code contains instructions for retrieving the user’s Facebook “access_token” to authenticate with the Facebook API and access Facebook session cookies such as “c_user”, all of which can appear as part of the workflow. normal “Connection with Facebook”. .

Malicious application code of the photo editor
Various instances of obfuscated and encrypted code found in the app (Sound computer)

But at runtime, the following JavaScript code, seen by Ingrao, performs additional espionage. An application-initiated WebView executes this JavaScript code to retrieve the Facebook credentials entered by the user.

And this is when the aforementioned requests to Facebook’s API Graph are made, to take a look at all the Facebook ad campaigns present in the user’s account, along with the information of the user. associated payment:

Malicious JS code decrypts at run time
Malicious JS code decrypts at run time (Maxime Ingrao)

Android users should beware of these recently seen “photo editing” apps on the Google Play Store. Those who have already installed such an app should uninstall it immediately, clean their smartphone and reset their Facebook credentials.

TechToSee reported the aforementioned Blender photo editor app to Google Play before it was released.


Please enter your comment!
Please enter your name here

Stay on Top - Get the daily news in your inbox

Trending this Week