{ "id": "92e12711-c546-474f-9335-d8d1aa836758", "created_at": "2026-04-06T00:14:50.363156Z", "updated_at": "2026-04-10T03:30:33.808029Z", "deleted_at": null, "sha1_hash": "6ae9fee98b50d69944ad46e19aa5e1bfc9ac4f21", "title": "Stay Alert of Facebook Credential Stealer Applications Stealing User’s Credentials. - Home", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1472287, "plain_text": "Stay Alert of Facebook Credential Stealer Applications Stealing User’s\r\nCredentials. - Home\r\nBy Digvijay Mane\r\nPublished: 2022-03-14 · Archived: 2026-04-05 17:35:45 UTC\r\nSocial media credentials are always a lucrative thing for threat actors. They use various techniques to get them. Some use\r\noverlays with fake user interfaces, some use key-logging, and some use simple social engineering to trap users. Another way\r\nthreat actors have been used in the recent past is JavaScript code injection in WebView to steal Facebook credentials. The\r\nscript directly hacked the entered Facebook login credentials.\r\nIn Jan 2022, Quick Heal Security Labs saw many Facebook credentials stealer applications on Google Play Store, which use\r\ndifferent techniques to hide their JavaScript code. Android researchers named Facebook credential stealer “Facestealer.”\r\nHow dangerous is this?\r\nIn case of successful harvesting of Facebook credentials, the hacker gets access to the user’s personal information like\r\npersonals details, friend lists, relation details, activities, private posts \u0026 messages, Photo/Videos, life events, etc. and\r\nperform malicious activities such as hackers can\r\nImpersonate to be a real user \u0026 use this data for malicious activities like phishing \u0026 Spoofing. \r\nUse the compromised accounts to distribute spam messages, malicious links, malware files, etc.\r\nBlackmail the victim user with collected private sensitive data for financial or other benefits.\r\nSpoil the victim’s social reputation.\r\nChange the victim’s personal details.\r\nPost unwanted posts.\r\nCompromise victims’ other social media and professional accounts using the collected information.\r\nSo, losing Facebook credentials to hackers can be very dangerous, as it could lead to several unforeseen consequences.\r\nWhat Did Quick Heal Security Do For This?\r\nThe Quick Heal Security Labs have reported the following applications to Google Play Store, and Google has taken prompt\r\naction (see Fig. 2) and removed these applications from Google Play Store.\r\nFig. 1. Reported applications from Google Play Store with its download count\r\nhttps://blogs.quickheal.com/stay-alert-of-facebook-credential-stealer-applications-stealing-users-credentials/\r\nPage 1 of 11\n\nFig. 2. Mail about application report to Google and Google’s confirmation\r\nBelow is a technical analysis of these applications:\r\nTechnical Analysis:\r\n#1. Application Name: PicsArt\r\nMD5: db95ae3cc6697bc9169fc9d6566a97bc\r\nThis application used various string encryptions to avoid AV engine detection and made analysis difficult for researchers.\r\nThis application:\r\nOpens with a Picsart screen (shown in the middle).\r\nThen redirects it to the next page, asking for Facebook credentials.  \r\nhttps://blogs.quickheal.com/stay-alert-of-facebook-credential-stealer-applications-stealing-users-credentials/\r\nPage 2 of 11\n\nFig. 3. Application launch and ask for Facebook credentials\r\nBut in the background, this application makes a request to the URL – hxxps[:]//mago[.]qfoster[.]shop/PHP/submit/data.\r\nFig. 4. shows the code executed by the application to make this request.\r\nFig. 4. Code for the above request\r\nAnd application gets the encrypted response which is shown in Fig. 5\r\nFig. 5. Response from c2 for application’s request\r\nReceived encrypted data is decrypted by application which is shown in Fig.6.\r\nhttps://blogs.quickheal.com/stay-alert-of-facebook-credential-stealer-applications-stealing-users-credentials/\r\nPage 3 of 11\n\nFig. 6. Decryption flow for response data\r\nThe application uses DES/CBC encryption followed by Base64 to get intermediate data for this encryption purpose. Then\r\nAES/CBC encryption is followed by Base64 to get a final decrypted response.\r\nFig. 7 shows the final decrypted output of this process. This decrypted data is used by applications for further processes.\r\nhttps://blogs.quickheal.com/stay-alert-of-facebook-credential-stealer-applications-stealing-users-credentials/\r\nPage 4 of 11\n\nFig. 7. Final decrypted response data\r\nThe application saves this decrypted data in the SharedPreference file, i.e. x86m.xml, for future use.\r\nCheck Fig. 8. where data of x86m.xml is shown.\r\nFig. 8. SharedPreference File x86m.xml data\r\nNow, the application uses these values to get the Facebook URL value and JavaScript injection code.\r\nHere functions C0151a.m855b() gives values from shared preference file “x86m.xml” then these values are decrypted by\r\nC0152a.m930a() function-javascript:window.assi.showAsd(document.getElementById(‘m_login_email’).value,document.getElementById(‘m_login_password\r\nFig. 9 shows this, which decrypts Facebook URL values, JavaScript injection code, and execution it deploys.\r\nhttps://blogs.quickheal.com/stay-alert-of-facebook-credential-stealer-applications-stealing-users-credentials/\r\nPage 5 of 11\n\nFig. 9. Code for opening official Facebook page and JavaScript injection\r\nFig. 10. gives the flow of decryption of this data. It takes the value of the “desc” key from the shared preference file. Then it\r\nuses AES/ECB encryption two times, followed by Base64 decryption to get the final decrypted JS code.\r\nFig. 10. JavaScript injection code decryption flow\r\nTo get Facebook URL decryption function is called inside the webview.loadurl() function.\r\nIn this decryption function:\r\nIt takes the value of the “private” key from the shared preference file\r\nThen it uses AES/ECB decryption followed by Base64 to get intermediate data\r\nThen DES/CBC followed by Base64 to get second intermediate data\r\nThen AES/ECB followed by Base64 to get the final URL value\r\nThe above steps are explained in Fig. 11.\r\nhttps://blogs.quickheal.com/stay-alert-of-facebook-credential-stealer-applications-stealing-users-credentials/\r\nPage 6 of 11\n\nFig. 11. Facebook URL decryption Flow\r\nAfter this, “ShowAsd” is the function called from JavaScript code.\r\nThis function takes the values and stores them in one of the shared preference files – “FILE_KPx86m”, as shown in Fig.12\r\nhttps://blogs.quickheal.com/stay-alert-of-facebook-credential-stealer-applications-stealing-users-credentials/\r\nPage 7 of 11\n\nFig. 12. Code which keeps collected information in one file\r\nBelow code (Fig.13.) is preparing collected data for submission.\r\nIt takes data from the FILE_KPx86m file\r\nThen it first encrypts it with AES/CBC\r\nThen with DES/ECB.\r\nThen it sends this encrypted data to the C\u0026C server\r\nFig. 14 explains this code.\r\nFig. 13. Encrypting collected data\r\nFig. 14. Posting collected data to c2\r\n#2. Application name: smart scanner\r\nMD5: 38a72e3b36c4b44bf22c0ce78ec668d1\r\nThe second application, i.e. smart scanner, which we have reported, is relatively less complex.\r\nhttps://blogs.quickheal.com/stay-alert-of-facebook-credential-stealer-applications-stealing-users-credentials/\r\nPage 8 of 11\n\nThis application opens with a smart scanner default screen (shown in the middle of the image). After clicking the login with\r\nFacebook button, it opens the third screen, asking a user to log in with Facebook credentials.\r\nFig. 15. Smart scanner application Launch\r\nThis application is comparatively less encrypted than the above application.\r\nAs shown in the first part of Fig. 16,\r\nThe application opens the official Facebook page.\r\nHere it adds a JavaScript interface with the name “jshandler.”\r\nIn part 2, we can see the JavaScript code to get email and password values.\r\nIn part 3, it creates a JSON object with this data,\r\nIn part 4, it sends it to c2.\r\nhttps://blogs.quickheal.com/stay-alert-of-facebook-credential-stealer-applications-stealing-users-credentials/\r\nPage 9 of 11\n\nFig. 16. Application malicious code\r\nIOCs:\r\nQuick Heal Security Labs detect these apps with variants of Android. Facestealer\r\nSocial media credentials theft is not seen as a severe issue as financial credentials theft. As we stated earlier, this is a\r\nchallenging issue, and users should understand the problem involved.\r\nMalware authors spread these malware applications on the Google Play Store in photo editing applications, pdf applications.\r\nhttps://blogs.quickheal.com/stay-alert-of-facebook-credential-stealer-applications-stealing-users-credentials/\r\nPage 10 of 11\n\nUsers easily download these types of applications without giving much thought. Users should avoid logging in using social\r\nmedia for such kinds of applications.\r\nHow can users secure their Facebook account?\r\nUsers should use features provided by Facebook to secure their account, such as\r\nTwo-factor authentication\r\nTrusted contacts \r\nThese features may help users to avoid getting hacked by hackers.\r\nQuick Heal Security Lab continuously checks applications from Google Play Store for such malware.\r\nSource: https://blogs.quickheal.com/stay-alert-of-facebook-credential-stealer-applications-stealing-users-credentials/\r\nhttps://blogs.quickheal.com/stay-alert-of-facebook-credential-stealer-applications-stealing-users-credentials/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blogs.quickheal.com/stay-alert-of-facebook-credential-stealer-applications-stealing-users-credentials/" ], "report_names": [ "stay-alert-of-facebook-credential-stealer-applications-stealing-users-credentials" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434490, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6ae9fee98b50d69944ad46e19aa5e1bfc9ac4f21.pdf", "text": "https://archive.orkl.eu/6ae9fee98b50d69944ad46e19aa5e1bfc9ac4f21.txt", "img": "https://archive.orkl.eu/6ae9fee98b50d69944ad46e19aa5e1bfc9ac4f21.jpg" } }