Android spyware steals Facebook credentials — installed by over 100,000 users

(Image credit: Getty Images)

Mobile cybersecurity researchers discovered a harmful Android app on the Google Play Store that steals users' Facebook credentials to gain full access to their data, including credit card details, conversations, searches and more.

Cybersecurity company Pradeo detected the malicious Android app, discovering that it uses social engineering techniques to steal Facebook credentials and make connections to a Russian server. More than 100,000 users have the app installed, but the company has reported the app has now been removed from the Google Play Store. 

The Android app, known as "Craftsart Cartoon Photo Tools," disguised itself as a legitimate photo-editing application. As Pradeo states, it holds a small piece of code that slips under the radar of the Google Store's security. What's more, it embeds an Android trojan known as Facestealer. 

(Image credit: Pradeo)

Once a user launches the app, a Facebook login page opens and restricts the user from using the app until they input their username and password. If they do, this information is automatically transmitted to the hackers.

"The application Craftsart Cartoon Photo Tools makes connections to a domain registered in Russia," states cybersecurity researcher Roxane Suau. "Our research shows that this domain has been used for 7 years on and off, and is connected to multiple malicious mobile applications that were at some points available on Google Play and later deleted."

Suau continues: "To maintain a presence on Google Play, repackaging mobile apps is common practice for cybercriminals. Sometimes, we even observed cases in which repackaging was entirely automated."

While the Android app has now been removed from the Google Play Store, it's a good idea to check and delete the app if it happens to be on your phone.

This isn't the only malware threat spotted this month, as hackers have also found a way to infiltrate iPhones using Apple's own developer tools. What's worse, it's left a victim $20,000 out of pocket. If you're in need of another layer of security on your phone, check out our best antivirus apps

Darragh Murphy

Darragh Murphy is fascinated by all things bizarre, which usually leads to assorted coverage varying from washing machines designed for AirPods to the mischievous world of cyberattacks. Whether it's connecting Scar from The Lion King to two-factor authentication or turning his love for gadgets into a fabricated rap battle from 8 Mile, he believes there’s always a quirky spin to be made. With a Master’s degree in Magazine Journalism from The University of Sheffield, along with short stints at Kerrang! and Exposed Magazine, Darragh started his career writing about the tech industry at Time Out Dubai and ShortList Dubai, covering everything from the latest iPhone models and Huawei laptops to massive Esports events in the Middle East. Now, he can be found proudly diving into gaming, gadgets, and letting readers know the joys of docking stations for Laptop Mag.