Cyber security researchers are warning Android users about a new form of malware that can hijack phones and steal Facebook passwords.
The malware has been discovered in more than 50 apps in the Google Play Store and has been targeting users in Brazil, India, Indonesia, the Philippines and Vietnam.
The malware was hidden in flashlight app, QR scanners, and compass apps – the likes of which are best avoided.
The malware, dubbed GhostTeam, aggressively displays pop up advertising on the homescreen of the infected device.
“The apps pose as utility (flashlight, QR code scanner, compass) and device performance-boosting apps (file transfer, cleaner) and more notably, social media video downloaders, Kevin Sun from TrendMicro wrote in a blog post.
“The use of video downloaders as social engineering hooks — enticing users with features that allow them to download videos for offline viewing — concurs with our detections for GhostTeam.”
The infected apps had been available to download from the Google Play Store from April 2017 before they were finally removed by Google. It remains unclear exactly how many devices were infected.
Trend Micro said that after the malware is downloaded it disguises itself as Facebook or Google Play Services. When a victim then unwittingly opens the rogue app it displays an alert warning them to download another app to verify their login.
“Once the user opens the Facebook app, a dialog will prompt him/her to verify the account. The verification process is a typical login procedure, TrendMicro said.
“Behind the scenes, however, it executes a WebView (responsible for rendering web pages in Android apps). The malicious code injected in the WebView client will steal the email and password used to log in to the Facebook app, which it sends to the command and control server.”
Meanwhile Facebook has said it is aware of the issue and has been taking measures to stop users being compromised.
“We are blocking the distribution of these apps where we can and we have systems to help detect compromised accounts and credentials.”