This new Android malware steals Facebook data directly from the device

Facebook is no stranger to spreading of scams and installation of malicious malware on its platform. Thanks to its large user base, the popular social media networking site has always been the favorite of cybercriminals and hackers.

In a newly identified scam detected by security company Symantec, a malicious app dubbed ‘Android.Fakeapp’, involves a new malware strain that is phishing for Facebook login credentials directly from the targeted devices. Once the Facebook user credentials are obtained, the malware logs into the account and collects account information and results using the Facebook mobile app’s search functionality.

According to the researchers, the Fakeapp malware is currently made available via malicious apps to English-speaking users on third-party app stores.

How does the Fakeapp malware work?

Once installed, the apps infected with the Fakeapp malware will immediately hide from the phone’s home screen, leaving only a service running in the background. The malware acts step-by-step (see below) since its installation to steal details from a Facebook user’s account:



  • It checks for a target Facebook account by submitting the International Mobile Equipment Identity (IMEI) to the command and control (C&C) server.
  • If no account can be collected, it verifies that the app is installed on the device.
  • It then launches a spoofed Facebook login user interface (UI) to steal user credentials.
  • It periodically displays this login UI until credentials are successfully collected.

Besides sending the collected Facebook login credentials to the attacker’s server, the Fakeapp malware also immediately uses the login details to login into the compromised Facebook account. Once the malware is logged into the Facebook page, it can collect wide variety of information on education, work, contacts, bio, family, relationships, events, groups, likes, posts, pages, and so on.

“The functionality that crawls the Facebook page has a surprising level of sophistication,” Martin Zhang and Shaun Aimoto, the two Symantec researchers who analyzed Fakeapp say.

“The crawler has the ability to use the search functionality on Facebook and collect the results. Additionally, to harvest information that is shown using dynamic web techniques, the crawler will scroll the page and pull content via Ajax calls,” Symantec explained.

In order to stay safe, Facebook users are recommended to regularly update the software and avoid installing applications from unknown sources. Only download apps that are from trusted sources.

Source: Symantec, Bleeping Computer