Stay Alert of Facebook Credential Stealer Applications Stealing User’s Credentials.

Social media credentials are always a lucrative thing for threat actors. They use various techniques to get them. Some use overlays with fake user interfaces, some use key-logging, and some use simple social engineering to trap users. Another way threat actors have been used in the recent past is JavaScript code injection in WebView to steal Facebook credentials. The script directly hacked the entered Facebook login credentials.

In Jan 2022, Quick Heal Security Labs saw many Facebook credentials stealer applications on Google Play Store, which use different techniques to hide their JavaScript code. Android researchers named Facebook credential stealer “Facestealer.”

How dangerous is this?

In case of successful harvesting of Facebook credentials, the hacker gets access to the user’s personal information like personals details, friend lists, relation details, activities, private posts & messages, Photo/Videos, life events, etc. and perform malicious activities such as hackers can

• Impersonate to be a real user & use this data for malicious activities like phishing & Spoofing. 
• Use the compromised accounts to distribute spam messages, malicious links, malware files, etc.
• Blackmail the victim user with collected private sensitive data for financial or other benefits.
• Spoil the victim’s social reputation.
• Change the victim’s personal details.
• Post unwanted posts.
• Compromise victims’ other social media and professional accounts using the collected information.

So, losing Facebook credentials to hackers can be very dangerous, as it could lead to several unforeseen consequences.

What Did Quick Heal Security Do For This?

The Quick Heal Security Labs have reported the following applications to Google Play Store, and Google has taken prompt action (see Fig. 2) and removed these applications from Google Play Store.

Fig. 1. Reported applications from Google Play Store with its download count

Fig. 2. Mail about application report to Google and Google’s confirmation

Below is a technical analysis of these applications:

Technical Analysis:

#1. Application Name: PicsArt

MD5: db95ae3cc6697bc9169fc9d6566a97bc

This application used various string encryptions to avoid AV engine detection and made analysis difficult for researchers.

This application:

• Opens with a Picsart screen (shown in the middle).
• Then redirects it to the next page, asking for Facebook credentials.  

Fig. 3. Application launch and ask for Facebook credentials

But in the background, this application makes a request to the URL – hxxps[:]//mago[.]qfoster[.]shop/PHP/submit/data.

Fig. 4. shows the code executed by the application to make this request.

Fig. 4. Code for the above request

And application gets the encrypted response which is shown in Fig. 5

Fig. 5. Response from c2 for application’s request

Received encrypted data is decrypted by application which is shown in Fig.6.

Fig. 6. Decryption flow for response data

The application uses DES/CBC encryption followed by Base64 to get intermediate data for this encryption purpose. Then AES/CBC encryption is followed by Base64 to get a final decrypted response.

Fig. 7 shows the final decrypted output of this process. This decrypted data is used by applications for further processes.

Fig. 7. Final decrypted response data

The application saves this decrypted data in the SharedPreference file, i.e. x86m.xml, for future use.

Check Fig. 8. where data of x86m.xml is shown.

Fig. 8. SharedPreference File x86m.xml data

Now, the application uses these values to get the Facebook URL value and JavaScript injection code.

Here functions C0151a.m855b() gives values from shared preference file “x86m.xml” then these values are decrypted by C0152a.m930a() function-

javascript:window.assi.showAsd(document.getElementById(‘m_login_email’).value,document.getElementById(‘m_login_password’).value); 

Fig. 9 shows this, which decrypts Facebook URL values, JavaScript injection code, and execution it deploys.

Fig. 9. Code for opening official Facebook page and JavaScript injection

Fig. 10. gives the flow of decryption of this data. It takes the value of the “desc” key from the shared preference file. Then it uses AES/ECB encryption two times, followed by Base64 decryption to get the final decrypted JS code.

Fig. 10. JavaScript injection code decryption flow

To get Facebook URL decryption function is called inside the webview.loadurl() function.

In this decryption function:

• It takes the value of the “private” key from the shared preference file
• Then it uses AES/ECB decryption followed by Base64 to get intermediate data
• Then DES/CBC followed by Base64 to get second intermediate data
• Then AES/ECB followed by Base64 to get the final URL value

The above steps are explained in Fig. 11.

Fig. 11. Facebook URL decryption Flow

After this, “ShowAsd” is the function called from JavaScript code.

This function takes the values and stores them in one of the shared preference files – “FILE_KPx86m”, as shown in Fig.12

Fig. 12. Code which keeps collected information in one file

Below code (Fig.13.) is preparing collected data for submission.

• It takes data from the FILE_KPx86m file
• Then it first encrypts it with AES/CBC
• Then with DES/ECB.
• Then it sends this encrypted data to the C&C server

Fig. 14 explains this code.

Fig. 13. Encrypting collected data

Fig. 14. Posting collected data to c2

#2. Application name: smart scanner

MD5: 38a72e3b36c4b44bf22c0ce78ec668d1

The second application, i.e. smart scanner, which we have reported, is relatively less complex.

This application opens with a smart scanner default screen (shown in the middle of the image). After clicking the login with Facebook button, it opens the third screen, asking a user to log in with Facebook credentials.

Fig. 15. Smart scanner application Launch

This application is comparatively less encrypted than the above application.

As shown in the first part of Fig. 16,

• The application opens the official Facebook page.
• Here it adds a JavaScript interface with the name “jshandler.”
• In part 2, we can see the JavaScript code to get email and password values.
• In part 3, it creates a JSON object with this data,
• In part 4, it sends it to c2.

Fig. 16. Application malicious code

IOCs:

Quick Heal Security Labs detect these apps with variants of Android. Facestealer

Social media credentials theft is not seen as a severe issue as financial credentials theft. As we stated earlier, this is a challenging issue, and users should understand the problem involved.
Malware authors spread these malware applications on the Google Play Store in photo editing applications, pdf applications. Users easily download these types of applications without giving much thought. Users should avoid logging in using social media for such kinds of applications.

How can users secure their Facebook account?

Users should use features provided by Facebook to secure their account, such as

• Two-factor authentication
• Trusted contacts 

These features may help users to avoid getting hacked by hackers.

Quick Heal Security Lab continuously checks applications from Google Play Store for such malware.

Digvijay Mane