The apps offered a variety of functions for users but used the same method for extracting data from users. A number of these apps had been available on Play Store for almost two years before Google finally took them down.
According to Evina, once the malicious app was launched on the victim’s device, the app will detect what application is currently running and the other apps in the user’s foreground. If the app is a Facebook application, the malware will launch a browser that loads Facebook at the same time, this browser is seen in the foreground, making you believe that the Facebook application launched it. The moment the user inputs their Facebook login details into the phishing page, the malicious app then sends the user’s credentials to a remote server. This could let hackers and other individuals access all data stored in the Facebook account. Most of these apps offered new wallpapers, with a number of others providing video editing tools. It is still unclear how exactly some of these apps were able to evade detection by Google Play Store Protection service this long but it is a relief that they are finally off the platform. References