Beware of 'GhostTeam' Android malware that steals Facebook passwords using Google Play apps

More than 50 Android applications on Google's official Play Store marketplace have been found to house malicious code which hackers could use to steal Facebook passwords.

Dubbed 'GhostTeam' by cybersecurity company Trend Micro, the code is a form of adware that was caught targeting users across India, Indonesia, Brazil, Vietnam and the Philippines.

The developers of the malware, also codenamed GhostTeam due to the name appearing in the code, designed it to "aggressively" display pop-up advertising on an infected device's home screen.

"The apps pose as utility (flashlight, QR code scanner, compass) and device performance-boosting apps (file transfer, cleaner) and more notably, social media video downloaders," explained mobile threat analyst, Kevin Sun, in a blog post Thursday (18 January).

"The use of video downloaders as social engineering hooks — enticing users with features that allow them to download videos for offline viewing — concurs with our detections for GhostTeam."

Many of the apps had lurked on the store since April 2017. After being discovered and reported, Google took steps to remove them and better protect its users. There were 53 compromised apps but it remains unclear how many times they had been downloaded.

Trend Micro said that after being downloaded, the malware disguises itself as "Google Play Services". When the victim opens Google Play or Facebook, it displays an alert urging them to install the booby-trapped app and grant it administrator permissions.

Sun explained: "Once the user opens the Facebook app, a dialog will prompt him/her to verify the account. The verification process is a typical login procedure.

"Behind the scenes, however, it executes a WebView (responsible for rendering web pages in Android apps). The malicious code injected in the WebView client will steal the email and password used to log in to the Facebook app, which it sends to the command and control server."

A Facebook spokesperson said: "We are blocking the distribution of these apps where we can and we have systems to help detect compromised accounts and credentials."

According to Trend Micro, stolen passwords have not yet been used in a hacking scheme. It said the credentials may instead be being sold in the criminal underground, the dark web.

"While we haven't seen active cybercriminal campaigns that use the stolen Facebook credentials so far, it's not far-fetched to think they would," Sun wrote. The firm advises Android users to ensure they have the latest security patches installed, and to always check app reviews.

In August 2017, it emerged that hackers were exploiting Facebook's messaging service to spread "advanced" malware code. You can find the full list of infected Android applications here.