More than 200 Android apps masquerading as fitness, photo editing and puzzle apps have been observed distributing spyware called Facestealer to retrieve user credentials and other valuable information.
“Like Joker, another piece of mobile malware, Facestealer changes its code frequently, creating many variants,” Trend Micro analysts Cifer Fang, Ford Quin and Zhengyu Dong said in a new report. “Since its discovery, the spyware has continuously besieged Google Play.”
Facestealer, first documented by Doctor Web in July 2021, refers to a group of fraudulent apps that invade the official Android app marketplace with the goal of looting sensitive data such as Facebook login credentials.
Of the 200 apps, 42 are VPN services, followed by a camera (20) and photo editing applications (13). In addition to collecting credentials, the apps are also designed to collect Facebook cookies and personally identifiable information associated with a victim’s account.
In addition, Trend Micro revealed that it uncovered over 40 rogue cryptocurrency mining apps targeting users interested in virtual coins with malware designed to trick users into viewing ads and paying for subscription services.
Some of the fake crypto apps, such as Cryptomining Farm Your own Coin, take it one step further by also attempting to steal private keys and mnemonic phrases (or seed phrases) used to restore access to a cryptocurrency wallet.
To avoid falling victim to such scam apps, users are advised to check negative reviews, verify the legitimacy of developers, and avoid downloading apps from third-party app stores.
New study analyzes malicious Android apps installed in the wild
The findings come as researchers from NortonLifeLock and Boston University published what they called the “largest on-device study” of Android-based potentially harmful apps (PHAs) of 8.8 million PHAs installed on over 11.7 million devices between 2019 and 2020.
“PHAs persist on Google Play for 77 days on average and 34 days in third-party marketplaces,” the study noted, noting the lag between when PHAs are identified and when they are removed, adding 3,553 apps showed intermarket migration after being caught down.
On top of that, the research also shows that PHAs stay around for a much longer period of time on average when users switch devices and automatically install the apps when restoring from a backup.
As many as 14,000 PHAs have reportedly been transferred to 35,500 new Samsung devices using the Samsung Smart Switch mobile app, with the apps lasting on the phones for a period of approximately 93 days.
“The Android security model severely limits what mobile security products can do when they detect a malicious app, allowing PHAs to persist for days on victim devices,” the academics said. “The current notification system used by mobile security apps is not effective in convincing users to uninstall PHAs immediately.”