"Fakeapp" Android Malware Steals Facebook Credentials, Logs into Accounts

[LASER_oneXM]

A new Android malware strain can phish Facebook user credentials and then log into accounts to harvest account details, and even search and collect results using the Facebook app's search functionality.

Named Fakeapp, this new malware strain was detected earlier this month by Symantec researchers. Symantec says the app is currently distributed inside malicious apps made available to English-speaking users on third-party app stores.

Despite targeting the English-speaking audience, Symantec researchers say most victims are from the Asia-Pacific region, suggesting the third-party app stores have a local Asian audience only.

App uses fake login screen to phish Facebook credentials

Apps infected with the Fakeapp malware will immediately hide from the phone's home screen, but start a service that runs in the background.


This service is responsible for starting a spoofed Facebook login user interface to steal user credentials. Fakeapp periodically displays this login screen (pictured above) until users enter their Facebook credentials.

This is where Fakeapp is different from all previous Android info-stealing trojans. Besides sending the collected Facebook credentials to the attacker's server, the malware also immediately uses these credentials on the victim's device.

Fakeapp immediately logs into compromised accounts
Fakeapp starts a WebView window (WebView is a stripped down mobile browser app) and makes this window almost entirely transparent with a window alpha-transparency value of "0.01f" — near 0.
It then loads the Facebook login page and accesses the user's account.
.... .... ......

Symantec: Surprising level of sophistication

"The functionality that crawls the Facebook page has a surprising level of sophistication," Martin Zhang and Shaun Aimoto, the two Symantec researchers who analyzed Fakeapp say.