GhostTeam Android Malware Targets Facebook Account Credentials

Researchers at Avast and Trend Micro discovered a new Android adware, dubbed GhostTeam, capable of stealing Facebook credentials and delivering ads to infected mobile devices. GhostTeam was detected in 53 malicious applications previously available for download through the official Play store including those marketed as flashlights, QR code scanners, file cleaners, and social media video downloaders. Once downloaded, a secondary application, disguised as “Google Play Services”, is delivered to unsuspecting users in the form of an alert prompting installation. GhostTeam targets Facebook account credentials specifically through apps designed to download videos from Facebook. If a user opens the Facebook app on an infected device, GhostTeam will capture the email address and password used to log into the account and transmit that information to a remote server controlled by the hacker. The NJCCIC recommends users who installed the malicious applications uninstall them immediately and update Facebook account credentials as soon as possible. We also recommend reviewing TrendMicro’s Reportfor a complete listing of malicious applications and Indicators of Compromise (IoCs).