According to Jamf security researcher Michal Rajčan, when users enter their credentials, the app will send them to a command and control server at zutuu[.]info [VirusTotal], which the attackers can then collect. In addition to the C2 server, the malicious Android app will connect to www.dozenorms[.]club URL [VirusTotal] where further data is sent, and which has been used in the past to promote other malicious FaceStealer Android apps. As Pradeo explains in its report, the author and distributor of these apps appear to have automated the repackaging process and inject a small piece of malicious code into an otherwise legitimate app.
A malicious Android software that steals Facebook passwords has been downloaded more than 100,000 times through the Google Play Store, and the programme is still accessible for download. The Android infection is disguised as the ‘Craftsart Cartoon Photo Tools’ cartoonifier software, which allows users to submit an image and transform it into a cartoon depiction. Security researchers and mobile security firm Pradeo found last week that the Android app has a trojan known as ‘FaceStealer,’ which displays a Facebook login page and demands users to check in before accessing the app.
As many apps unnecessarily require users to log in to a server, in many cases Facebook, users have become numb to these login prompts and more commonly input their credentials without suspicion. As popular and fun as these cartoonifier apps may be, people should be extra cautious when installing software that requires them to input sensitive information such as biometric data (images of their faces). These apps perform the image alterations and apply filters on a remote server, not locally on the device, so your data is uploaded to a remote location and is at risk of being kept indefinitely, shared with others, resold, etc.
This helps the apps get through the Play Store vetting procedure without raising any red flags. As soon as the user opens it, they are not given any actual functionality unless they log in to their Facebook account. However, once they log in, the app will provide limited functionality by uploading a specified image to the online editor, http://color.photofuneditor.com/, which will apply a graphics filter to the picture. This new image will then be displayed in the app, where it can be downloaded by the user or sent to friends.
Since the particular app is still on the Play Store, one may automatically assume that the Android app is trustworthy. But unfortunately, malicious Android apps sometimes sneak into Google Play Store and remain until they are detected from bad reviews or discovered by security companies. However, it is possible to spot scammy and malicious apps in many cases by looking at their reviews on Google Play.