New Android Malware Dubbed as “GhostTeam” can Steal Facebook

New Android Malware Dubbed as “GhostTeam” can Steal Facebook

Google just got rid of a total of 63 apps from the official Play Store recently as they were discovered to be infected with a new kind of Android malware dubbed as “GhostTeam” which has the ability to steal Facebook credentials as well as bombard users with a bunch of ads on their infected devices.

This new Android malware was discovered by security teams of Trend Micro and Avast. According to the researchers, the malware has long been active in the Google Play Store but was just discovered as of late and reported to the Google team.

The technique used by GhostTeam is up to par with the latest distribution method which is currently in trend with most of the developers of Android malware.

When a user installs a clean app with legitimate features, that’s when the initial infections begin. The app is known as “dropper” and would connect to a remote Command and Control or C&C server at some point where it will download other malicious apps containing the real GhostTeam malware and install them into the infected device.

This second-stage app is mostly disguised as some kind of a system-level app where the attackers make use of fake security alerts that are displayed through the original app to trick users into installing the second app themselves and obtain administrative rights. And once it is able to gain admin access, the Android malware will show intrusive ads on the infected device primarily.

Another function of this Android malware is that it was found to be stealing Facebook credentials from the infected devices. What has security experts puzzled is that the method it uses in stealing Facebook credentials is quite unique as the malware does not use any fake login screens that are overlaid on top of the original Facebook app – instead, it steals data from the actual Facebook login page. So how exactly this malware does this? Well, it achieves this kind of ability by detecting when the user tries to open the real Facebook app and then open its real login page inside a native Android headless browser component just like WebChromeClient or WebView. And since these apps are portable browsers which developers can embed inside their apps which app developers have full control so there is no wonder that GhostTeam was able to steal Facebook credentials on top of displaying intrusive ads.

During the process of stealing Facebook details, the malware-laden apps load the real Facebook login page inside the aforementioned portable browsers and at the same time, it also loads malicious JavaScript code responsible in collecting a user’ login credentials on Facebook. Afterwards, the collected data will be sent to the malware’s remote server which is under GhostTeams control.

And since the login operations take place on the original Facebook login page and inside a legitimate Android component, mobile security apps weren’t able to detect that the Facebook credentials were being stolen.

According to Avast and Trend Micro, these malware-infested apps might be created by some Vietnamese threat actor as the apps have Vietnamese as the default language although they also offer English versions for users who do not speak Vietnamese. Even so, some of their descriptions in the Google Play Store were also in Vietnamese not to mention that these apps communicate to their command and control or C&C servers that are hosted using Vietnamese IP addresses – in spite of this, the leading countries that are infected with GhostTeam are India, Indonesia as well as Brazil. These three countries have over 60% of the infections.

“We’ve removed the apps from Play, disabled the developers’ accounts, and will continue to show strong warnings to anyone that has installed them,” stated a spokesperson from Google. “We appreciate Check Point’s work to help keep users safe.”

Security experts advised users to change their Facebook credentials immediately as well as enable the two-factor authentication if they find any of these apps on their Android devices.

According to Check Point, the apps listed below are the ones infected with GhostTeam:

  1. Five Nights Survival Craft
  2. Mcqueen Car Racing Game
  3. Addon Pixelmon for MCPE
  4. CoolCraft PE
  5. Exploration Pro WorldCraft
  6. Draw Kawaii
  7. San Andreas City Craft
  8. Subway Banana Run Surf
  9. Exploration Lite: Wintercraft
  10. Addon GTA for Minecraft PE
  11. Addon Sponge Bob for MCPE
  12. Drawing Lessons Angry Birds
  13. Temple Crash Jungle Bandicoot
  14. Drawing Lessons Lego Star Wars
  15. Drawing Lessons Chibi
  16. Girls Exploration Lite
  17. Drawing Lessons Subway Surfers
  18. Paw Puppy Run Subway Surf
  19. Flash Slither Skin IO
  20. Invisible Slither Skin IO
  21. Drawing Lessons Lego Ninjago
  22. Drawing Lessons Lego Chima
  23. Temple Bandicoot Jungle Run
  24. Blockcraft 3D
  25. Jungle Survival Craft 1.0
  26. Easy Draw Octonauts
  27. halloweenskinsforminecraft
  28. skinsyoutubersmineworld
  29. youtubersskins
  30. DiadelosMuertos
  31. Draw X-Men
  32. Moviesskinsforminecraft
  33. Virtual Family – Baby Craft
  34. Mine Craft Slither Skin IO
  35. Guide Clash IO
  36. Invisible Skin for Slither IO app
  37. Zombie Island Craft Survival
  38. HalloweenMakeUp
  39. ThanksgivingDay
  40. ThanksgivingDay2
  41. Jurassic Survival Craft Game
  42. Players Unknown Battle Ground
  43. Subway Bendy Ink Machine Game
  44. Shin Hero Boy Adventure Game
  45. Temple Runner Castle Rush
  46. Dragon Shell for Super Slither
  47. Flash Skin for Slither IO app
  48. AnimePictures
  49. Pixel Survival – Zombie Apocalypse
  50. Fire Skin for Slither IO app
  51. San Andreas Gangster Crime
  52. fidgetspinnerforminecraft
  53. Stickman Fighter 2018
  54. Subway Run Surf
  55. Guide Vikings Hunters
  56. Woody Pecker
  57. Pack of Super Skins for Slither
  58. Spinner Toy for Slither
  59. How to Draw Coco and The Land of the Dead
  60. How to Draw Dangerous Snakes and Lizards Species
  61. How to Draw Real Monster Trucks and Cars
  62. How to Draw Animal World of The Nut Job 2
  63. How to Draw Batman Legends in Lego Style