fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Photo Editor Android App STILL Sitting On Google Play Store Is Malware

Photo Editor Android App STILL Sitting On Google Play Store Is Malware

Note: The app was shortly removed after BleepingComputer reported it to Google via Play store.

An Android app sitting on the Google Play store touts itself to be a photo editor app. But, it contains code that steals the user’s Facebook credentials to potentially run ad campaigns on the user’s behalf, with their payment information.

The app is called “Blender Photo Editor-Easy Photo Background Editor” and has been installed over 5,000 times to date.

Last week, similar malicious apps with over 500,000 installs were also found on the Play Store.

“Log in” with Facebook does more than just login

Like many Android apps, the “Blender Photo Editor-Easy Photo Background Editor” app comes with the sign-in with Facebook functionality. Except, it also makes use of your Facebook credentials to do some fishy stuff.

Tatyana Shishkova, an Android Malware Analyst at Kaspersky, discovered the “trojan” app this week which is still available on the Google Play store, at the time of writing.

Also Read: 4 Considerations In The PDPA Singapore Checklist: The Specifics

malicious photo editor Android app
Photo editor Android app still sitting on the Google Play store (BleepingComputer)

The app contains malicious code, identical to what was found in similar “photo editor” apps last week by Maxime Ingrao, a security researcher at mobile payments cybersecurity firm Evina.

These Android apps require Android users to sign in via their Facebook account to access the app, but then silently collect the credentials via encrypted JavaScript commands hidden within the app.

The apps then make requests to the Facebook Graph API to peek into the user’s Facebook account and look for any ad campaigns and stored payment information.

The malware, according to Ingrao, “is very interested in the advertising campaigns you might have done and if you have a registered credit card.” This would allow the attacker behind these apps to create their own ad campaigns via the user’s Facebook credentials, and linked payment information.

Identical apps installed over 500,000 times

Ingrao had previously discovered similar malicious apps called  “Magic Photo Lab – Photo Editor” and “Pix Photo Motion Edit 2021” with the latter scoring over 500,000 installs.

Both apps have since been removed from the Google Play store.

Also Read: The 3 Main Benefits Of PDPA For Your Business

Malicious Android apps with over 500K downloads on Google Play store
Malicious Android apps with over 500K downloads on Google Play store (BleepingComputer)

The researcher shared some insights with BleepingComputer as to how he found something wasn’t right with these apps.

“I noticed the suspicious code first by doing a dynamic analysis,” Ingrao tells BleepingComputer in an email interview.

“I noticed that the WebView was running JavaScript to retrieve the credentials. Then I downloaded the code and I recoded the function that decrypts the texts inside the code, that’s how I found the executed JavaScript and the calls to the Facebook Graph API,” continued the French security researcher.

BleepingComputer also analyzed the APK for “Blender Photo Editor-Easy Photo Background Editor,” which is still live on Google Play, and can confirm seeing identical malicious code in the app.

During our analysis, we attempted to roughly reconstruct the Java source code of the Android app from the compiled APK (bytecode).

The suspicious class “sources/com/easyblender/blendphoto/Blends/ext/AnaActivity.java” contains the WebView referenced by Ingrao. Additionally, we noticed partial strings, such as, “m.face” and “m.f” referring to m.facebook.com and m.fb.com domains.

The obfuscated code, in various places, contains encrypted strings with JavaScript code that are only decrypted when the app is running live. There are instructions in the code to fetch user’s Facebook “access_token” to authenticate to the Facebook API, and accessing Facebook session cookies such as, “c_user“—all of which may appear as part of the normal “Sign-in with Facebook” workflow.

Malicious Photo Editor app code
Various instances of obfuscated and encrypted code found inside the app (BleepingComputer)

But at runtime, the following JavaScript code, seen by Ingrao, conducts additional spying. A WebView launched by the app runs this JavaScript code to retrieve the Facebook credentials entered by the user.

And this is when the aforementioned requests to Facebook’s Graph API are made, to peek into any Facebook ad campaigns present in the user’s account, along with the associated payment information:

Malicious JS code decrypts at runtime
Malicious JS code decrypts at runtime (Maxime Ingrao)

Android users should be wary of such “photo editor” apps recently seen on the Google Play store. Those who have already installed any such app should uninstall the app immediately, clean up their smartphone, and reset their Facebook credentials.

BleepingComputer has reported the aforementioned Blender photo editor app to Google Play prior to publishing.

Update 5:05 am ET: Google Play Store has removed the Blender photo editor app following our report. An archived copy of the app page is available.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us