These Android apps with 5.8 million downloads can steal your Facebook password — what to do

Android malware botnet attack
(Image credit: Shutterstock)

Nine dodgy Android apps have been caught trying to steal users' Facebook passwords, and even worse, they did so using Facebook's own real login page.

The nine Facebook-phishing Trojanized apps have been removed from the Google Play Store, but probably not from users' devices. One of them, called PIP Photo, was downloaded more than 5 million times. None of the others came close to that number, but together they had been downloaded about 800,000 times.

What to do now

If you've downloaded or installed any of these nine Android apps, then you need to remove them. Go into Settings > Apps & Notifications > See All Apps (your phone may be a bit different) and click on each suspect app's listing in order to uninstall it. 

You'll also need to assume that your Facebook account has been compromised. Change your Facebook password, then log out of Facebook on all your devices to clear the sessions cookies — the bits of data that keep you logged in for months at a time. You can log back in once you've done that.

If you've used the same email address and password on other accounts, then you have to assume those have been compromised too. Change your password on those, using a unique password each time. (You never want to repeat passwords for sensitive accounts.) Then log out of those accounts on all your devices before logging back in on any of them.

The nine offending apps, plus one more

  • App Lock Keep, developer Sheralaw Rence, more than 50,000 downloads
  • App Lock Manager, developer Implummet col, more than 10 downloads
  • Horoscope Daily, developer HscopeDaily momo, more than 100,000 downloads
  • Horoscope Pi, developer Talleyr Shauna, more than 1,000 downloads
  • Inwell Fitness, developer Reuben Germaine, more than 100,000 downloads
  • Lockit Master, developer Enali mchicolo, more than 5,000 downloads
  • PIP Photo, developer Lillians, more than 5 million downloads
  • Processing Photo, developer chikumburahamilton, more than 500,000 downloads
  • Rubbish Cleaner, developer SNT.rbcl, more than 100,000 downloads

In addition, a 10th app that stole Facebook passwords was discovered to have earlier been removed from Google Play, and is still available on "off-road" app markets:

  • EditorPhotoPip, developer Laurense

Because many Android apps have the same name, you'll want to make sure you're deleting the right one. From the app's page in Settings, click on Advanced > App Details. App Details should take you to the app's page in Google Play, which will either list the developer name (listed above) or take you to a deleted listing.

If you get a deleted listing, you'll know Google has removed the app from Google Play. Go back to the app's listing in Settings and uninstall it. If the developer name matches what you see in the list above, you'll want to uninstall the app in this case as well.

Fully functional, fully malicious

These password-stealing apps were discovered by Russian antivirus firm Dr. Web, which posted a report on them last week. Dr. Web said all these apps were "fully functional," indicating that their users probably wouldn't have realized there was anything shady going on behind the scenes while they happily ran the apps.

The common thread among these apps was that all showed a lot of ads — and users were invited to get rid of the ads by logging into their Facebook accounts. Many apps let you log in via Facebook or Google in order to avoid creating new accounts each time, but the process is supposed to be secure.

In these cases, it wasn't. Even though the apps presented the real Facebook third-party login page, the apps injected code behind the scenes that logged the Facebook credentials as the user typed them in. 

The code also stole the Facebook session token, which keeps you logged into Facebook for a long period. We can't even think of all the ways a stolen Facebook account could be used against you.

This is already pretty bad, but Dr. Web's report said it could have been — and may indeed be — worse.

"The attackers could have easily changed the Trojans' settings and commanded them to load the web page of another legitimate service," the report said. "They could have even used a completely fake login form located on a phishing site. Thus, the Trojans could have been used to steal logins and passwords from any service."

While all these apps are gone from Google Play, they're still available on third-party app stores. Avoid them, and in general avoid downloading apps from "off-road" marketplaces. Google Play isn't perfect — one reason you should run one of the best Android antivirus apps — but it's a lot safer than the Wild West of unregulated app stores.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.