GhostTeam, the malware that steals access to Facebook

Comodo Blog

Arturo Di Corinto

Avast and Trend Micro, two computer security companies, have discovered a new malware capable to steal the login credentials to Facebook. Nicknamed “GhostTeam” is present in 56 applications found on the Google Play Store.

These harmful apps for Android have the appearance of utilities that promise to enhance the operation of mobile phones by cleaning them up, scanning QR codes, facilitating video management, etc., but they pose a real danger to users.

Once downloaded, they ask the victim for access to the device administrator options so that “the app collects information about the device, such as its identifier, ID, location, language and other display parameters”.

Malware, or malicious software, is a family of viruses that do not necessarily contain malicious code, which is why the apps have managed to pass unscathed from Google’s software distribution platform controls.

Hence, they’re not dangerous, you could say, but as soon as users open their Facebook app on the phone, the malware invites them to check their account again by logging into their social profile.

But the page to which you are redirected is not the official access to Facebook. Through a particular code, (in WebView) the code steals the username and password of the victim’s Facebook and sends them to a server controlled by malicious people remotely.

Trend Micro researchers warn that these stolen Facebook credentials can later be re-proposed to provide “much more damaging malware” or “accumulate an army of zombies on social media” to spread false news or generate cryptocurrency malware.

“Zombies” are computers controlled by third parties without the knowledge of the user and can “be awakened” to carry out attacks on Internet sites and services, such as DDoS, “Distributed Denial of Service”, which collapse the services affected by too many simultaneous access requests.

Stolen Facebook accounts can also expose “a wealth of other financial information and personal data” that can then be sold in the Dark Web, that portion of the web not indexed by the common search engines and composed of sites accessible only with specific software and therefore more difficult to find.

The two computer security companies believe that GhostTeam was developed and uploaded to the Play Store by a Vietnamese developer due to the considerable use of the Vietnamese language in the code. According to the researchers, the majority of users affected by GhostTeam malware live in India, Indonesia, Brazil, Vietnam and the Philippines.

In addition to stealing Facebook credentials, GhostTeam malware also displays pop-up ads aggressively while keeping the infected device active by showing unwanted ads in the background.

Malicious apps have been removed from Google from their Play Store but users who have already installed one of those apps on their devices must ensure that they have enabled Google Play Protect using machine learning and analyzing the use of apps for uninstalling the malicious ones.

In short, the best way to protect yourself is to be careful to download apps from official sites and check reviews before doing so, knowing that it does not hurt to have a good antivirus on your phone.

Teacher, journalist, hacktivist. Privacy advocate, copyright critic, free software fan, cybersecurity curious.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store