GhostTeam Adware can Steal Facebook Credentials [source: trendmicro]

22 Jan 2018

No Comments

1397

We uncovered a total of 53 apps on Google Play that can steal Facebook accounts and surreptitiously push ads. Many of these apps, which were published as early as April 2017, seemed to have been put out on Google Play in a wave. Detected by Trend Micro as ANDROIDOS_GHOSTTEAM, many of the samples we analyzed are in Vietnamese, including their descriptions on Google Play.

Their command-and-control (C&C) server points to mspace[.]com[.]vn. This, along with the considerable use of Vietnamese language, may indicate that the apps were from Vietnam. For instance, GhostTeam’s configurations are in English and Vietnamese. English will be the default language if the malware detects the geolocation to be outside Vietnam.

The apps pose as utility (flashlight, QR code scanner, compass) and device performance-boosting apps (file transfer, cleaner), and more notably, social media video downloaders. The use of video downloaders as social engineering hooks — enticing users with features that allow them to download videos for offline viewing — concurs with our detections for GhostTeam. India, Indonesia, Brazil, Vietnam, and the Philippines, reported to have the most Facebook users, are also the most affected by GhostTeam.

While we haven’t seen active cybercriminal campaigns that use the stolen Facebook credentials so far, it’s not farfetched to think they would. As other cyberattacks and threats like the Onliner spambot showed, these credentials can be repurposed to deliver far more damaging malware or to amass a zombie social media army that can proliferate fake news or a cryptocurrency-mining malware. Facebook accounts, which can contain a wealth of other financial and personally identifiable information, are also peddled in the underground.

For more, click here.