In case of successful harvesting of Facebook credentials, the hacker gets access to the user’s personal information like personals details, friend lists, relation details, activities, private posts & messages, Photo/Videos, life events, etc. and perform malicious activities such as hackers can
So, losing Facebook credentials to hackers can be very dangerous, as it could lead to several unforeseen consequences.
The Quick Heal Security Labs have reported the following applications to Google Play Store, and Google has taken prompt action (see Fig. 2) and removed these applications from Google Play Store.
Fig. 1. Reported applications from Google Play Store with its download count
Fig. 2. Mail about application report to Google and Google’s confirmation
Below is a technical analysis of these applications:
#1. Application Name: PicsArt
This application used various string encryptions to avoid AV engine detection and made analysis difficult for researchers.
Fig. 3. Application launch and ask for Facebook credentials
But in the background, this application makes a request to the URL – hxxps[:]//mago[.]qfoster[.]shop/PHP/submit/data.
Fig. 4. shows the code executed by the application to make this request.
Fig. 4. Code for the above request
And application gets the encrypted response which is shown in Fig. 5
Fig. 5. Response from c2 for application’s request
Received encrypted data is decrypted by application which is shown in Fig.6.
Fig. 6. Decryption flow for response data
The application uses DES/CBC encryption followed by Base64 to get intermediate data for this encryption purpose. Then AES/CBC encryption is followed by Base64 to get a final decrypted response.
Fig. 7 shows the final decrypted output of this process. This decrypted data is used by applications for further processes.
Fig. 7. Final decrypted response data
The application saves this decrypted data in the SharedPreference file, i.e. x86m.xml, for future use.
Check Fig. 8. where data of x86m.xml is shown.
Fig. 8. SharedPreference File x86m.xml data
Here functions C0151a.m855b() gives values from shared preference file “x86m.xml” then these values are decrypted by C0152a.m930a() function-
Fig. 10. gives the flow of decryption of this data. It takes the value of the “desc” key from the shared preference file. Then it uses AES/ECB encryption two times, followed by Base64 decryption to get the final decrypted JS code.
To get Facebook URL decryption function is called inside the webview.loadurl() function.
In this decryption function:
The above steps are explained in Fig. 11.
Fig. 11. Facebook URL decryption Flow
This function takes the values and stores them in one of the shared preference files – “FILE_KPx86m”, as shown in Fig.12
Fig. 12. Code which keeps collected information in one file
Below code (Fig.13.) is preparing collected data for submission.
Fig. 14 explains this code.
Fig. 13. Encrypting collected data
Fig. 14. Posting collected data to c2
#2. Application name: smart scanner
The second application, i.e. smart scanner, which we have reported, is relatively less complex.
This application opens with a smart scanner default screen (shown in the middle of the image). After clicking the login with Facebook button, it opens the third screen, asking a user to log in with Facebook credentials.
Fig. 15. Smart scanner application Launch
This application is comparatively less encrypted than the above application.
As shown in the first part of Fig. 16,
Fig. 16. Application malicious code
Quick Heal Security Labs detect these apps with variants of Android. Facestealer
Social media credentials theft is not seen as a severe issue as financial credentials theft. As we stated earlier, this is a challenging issue, and users should understand the problem involved.
Malware authors spread these malware applications on the Google Play Store in photo editing applications, pdf applications. Users easily download these types of applications without giving much thought. Users should avoid logging in using social media for such kinds of applications.
Users should use features provided by Facebook to secure their account, such as
These features may help users to avoid getting hacked by hackers.
Quick Heal Security Lab continuously checks applications from Google Play Store for such malware.