Researchers at French mobile security company Pradeo revealed that the app, Craftsart Cartoon Photo Tools, contained a version of an Android trojan malware called Facestealer. As with similar malicious applications, Craftsart Cartoon Photo Tools did perform some of its promised functions. It converted photos into cartoon- or painting-style images—there are numerous apps available that do the same thing—though some reviews say it merely added a filter to images. However, it included a small piece of code that could steal users’ Facebook login credentials, thereby gaining access to their accounts and any other services that may reuse the same login/passwords.
Does this seem legit to you? The app performed this act of thievery by directing users to the legitimate Facebook mobile login page upon opening, but “injected malicious JavaScript” would steal login credentials and send them to a command-and-control server. The Russian-registered domain that the app connected to has been used intermittently for seven years as the command-and-control address for multiple malicious Android apps. The stolen credentials could be used to access Facebook accounts and all the personal information they contain. Hackers could also try to dupe victims’ friends by sending them fake messages. “Facebook credentials are used by cybercriminals to compromise accounts in multiple ways, the most common being to commit financial fraud, send phishing links and spread fake news,” wrote Pradeo. We’re seeing an increasing number of malicious apps circumventing the Play Store’s safeguards and being downloaded hundreds of thousands of times. They often achieve this by mimicking popular apps’ functions and thoroughly concealing what little malicious code they contain, as was the case with the Joker-infected Color Message app downloaded 500,000 times before it was removed in December. The best way to avoid these malicious apps is to check the reviews. Many who downloaded Craftsart Cartoon Photo Tools identified it as a fake or some kind of scam—it also had a 2.1-star rating—but it still managed to gain 100,000 downloads.