According to Tatyana Shishkova, an Android Malware Analyst at security firm Kaspersky, the apps in question were asking users to sign in via their Facebook accounts to gain access to the best features.
Anyone who uses apps on their phones will know that a large number of applications often use this way of signing up via Facebook as it makes things faster and ends the need to set up endless accounts.
However, whilst the majority of official apps makes sure this data stays safe, these latest services were actively using the sign-in data to look at Facebook credentials and steal personal data including any stored payment information.
The latest app to use this method is called “Blender Photo Editor-Easy Photo Background Editor” which, until recently was still available to download and install via the Play Store.
It has now been blocked by Google but not before receiving thousands of downloads.
This nasty app isn’t the only worry for Android fans with two further apps being taken down by Google after it was found that they were also trying to steal Facebook credentials.
As discovered by Maxime Ingrao, a security expert at cybersecurity firm Evina, the “Magic Photo Lab – Photo Editor” and “Pix Photo Motion Edit 2021” apps had managed to rack up over 500,000 downloads before being removed.
The team at Bleeping Computer who first reported the attack are now advising users to be careful downloading any “photo editor” apps that have been recently added to the Play Store.
If you have downloaded the apps mentioned above then it’s vital that you delete them from your phone immediately and reset any Facebook credentials.
Speaking about the latest Play Store issues Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre said: “Users should take care to review the scope of any token granted when they signup for an app using a centralised login service to ensure that it doesn’t grant unnecessary access.
“Further, users should periodically take time to review which apps they’ve granted access to with an eye to whether that access is still needed. This is important as once access is granted, usage will continue indefinitely. Since centralised login services maintain a unique identifier for each user account, simply deleting all access tokens and then following the “Signup with Facebook” link within your apps will ensure that access is limited to the current API restrictions and won’t use previous setting that were overly broad.”