Fakeapp is a trojan malware first discovered in 2012 targeting Android devices. The malware downloads configuration files to display advertisements and collects information from the compromised device. The new variant, discovered February 2018 by Symantec, logs into Facebook accounts and harvests account details from the victims’ devices. The app is sourced from a third-party market, and once it’s installed, the malicious app immediately hides itself from the home screen, while still running in the background. The app first checks to see if the device has a compromised Facebook account by submitting the International Mobile Equipment Identity (IMEI) to the command and control (C&C) server. If no Facebook account is collected, it verifies that the app is installed on the device. Once it is installed, a spoofed Facebook login page appears requesting the user's login credentials and, if submitted, are stolen. To verify that the credentials are successfully collected, the login UI will periodically be displayed. Once the credentials are properly captured, the app will log into the Facebook account and hide the screen by setting the display to be completely transparent. When logged in, the malware can scrape the personal data off the profiles of the victim, their family, and friends. Fakeapp has also been used to steal Uber account credentials.
- February 2018: Android.Fakeapp new variant harvests users Facebook Credentials. (Symantec)
- January 2018: Android malware steals Uber credentials. (Symantec)
- February 2012: Android.Fakeapp Trojan shows up as a free fan app. (Symantec)
- Technical details on the Android.Fakeapp Trojan from 2018 are available from Symantec here.