Ghost Team – Facebook Credentials

And another series of Google Play apps have shown to contain malicious code. This time, we are talking about 53 apps, most of the were in aimed at the Asian market.

According to TrendMicro, the malware detected is ANDROIDOS_GHOSTTEAM, and it hid itself into Play Store apps that were containing a considerable amount of Vietnamese language. Furthermore, the Command and Control server pointed to a Vietnamese website.

Nevertheless, if it was installed on phones outside Vietnam, the app would detect that using geolocation and set its language to English.

As mentioned in previous articles on this blog, the malware is most of the time hidden in utility apps such as but not limited to: flashlight apps, QR code scanners, compasses, performance boosting apps and, the most important category, social media enhancing apps. Among these “enhancing apps” the most popular ones are video downloaders.

This idea was reiterated countless times on this blog, but I feel the need to remind you that; information means power. Especially when it comes to social media; most social media sites already have a profile created for each and any one of their users. Although we might think the get only what we share, there have been multiple cases in which companies tracked more that the user agreed to.

Malware evolves and becomes better and better, this one is no exception. This one has a feature that permits it to detect if it runs in a virtual machine.  According to TrendMicro:

“The payload disguises itself as “Google Play Services”, pretending to verify an app. If the unwitting user opens Google Play or Facebook, it displays an alert urging the would-be victim to install the fake Google Play Services. After installation, the payload will also prompt the user to activate/enable device administrator.”

Fortunately, it seems that there is no cyber-campaigns that are using these stolen credentials.

“As other cyberattacks and threats like the Onliner spambot showed, these credentials can be repurposed to deliver far more damaging malware or to amass a zombie social media army that can proliferate fake news or a cryptocurrency-mining malware. Facebook accounts, which can contain a wealth of other financial and personally identifiable information, are also peddled in the underground.”

Don’t forget that your phone knows almost everything about you. Take care of your phone, protect it against threats: run routine scans, install updates when prompted, double or triple check apps before installing, read comments posted for that particular app. And last, but not least, if an app provides features that seem to goo to be true, then almost certainly it’s fake.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s