{
	"id": "a8ece690-163a-4408-a2eb-fd879cae400d",
	"created_at": "2026-04-10T03:21:17.06013Z",
	"updated_at": "2026-04-10T13:11:57.397193Z",
	"deleted_at": null,
	"sha1_hash": "a7050971d8fb70e8677ba689af7262031b1acf45",
	"title": "Facestealer – The Rise of Facebook Credential Stealer Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 851911,
	"plain_text": "Facestealer – The Rise of Facebook Credential Stealer Malware\r\nPublished: 2022-01-27 · Archived: 2026-04-10 03:14:22 UTC\r\nThreat actors are constantly employing new tricks while also maintaining their old tried-and-tested tactics. One\r\nsuch evergreen tactic, is to deploy malicious duplicates of popular Android Apps in the Playstore. We came across\r\none such band of malicious apps tagged as Facebook Credential stealer, aka Facestealer. A swatch of such\r\nmalicious apps that we came across on the Playstore, is shown in the figure below.\r\nFigure 1:  Malicious Facestealer Apps from Google Play Store\r\nWhat is Facestealer?\r\nFacestealer is a family of Android Trojans that takes advantage of Social Engineering tricks to steal Facebook\r\nConfidential information like username and password. These malicious apps were initially distributed via Google\r\nPlay and through Third Party app stores.\r\nThe following Facestealer samples were discovered recently on Google Play store which have now been removed.\r\nFresh Desktop\r\nOxagon Lighting Wallpaper Edge\r\nPhoto Collage Editor\r\nPhoto Maker\r\nPics Art\r\nProwire VPN – Secure Proxy\r\nPumpkin VPN\r\nSecure VPN Pro\r\nhttps://labs.k7computing.com/index.php/facestealer-the-rise-of-facebook-credential-stealer-malware/\r\nPage 1 of 5\n\nSmart Scanner\r\nSnap Beauty Camera\r\nSnap Editor Pro\r\nSuper-Click VPN\r\nTouch VPN Proxy\r\nYouPerfect Camera\r\nYourWallpaper\r\nTechnical Analysis\r\nIn this blog, we will be analyzing the sample com.friendtrip.smartscanner. Upon execution, the installed app\r\nlaunches Facebook’s official landing page and then ask the user to login with their Facebook account as shown in\r\nthe Figure 2.\r\nFigure 2: Asking the user to Login with Facebook credentials\r\nThe malicious app uses Android WebView object’s loadUrl API to launch the Facebook’s official page as shown in\r\nthe Figure 3.\r\nhttps://labs.k7computing.com/index.php/facestealer-the-rise-of-facebook-credential-stealer-malware/\r\nPage 2 of 5\n\nFigure 3: Launch the Facebook’s official page via WebView\r\nOnce the Facebook’s official page loads into the WebView object, the malware injects malicious JavaScript code\r\ninto that page and extracts all the necessary information like account, password, user-agent and cookie\r\ninformation as shown in the Figure 4 .\r\nFigure 4: Collects confidential information\r\nWhen the user enters the credentials into the Facebook’s login page, the facestealer malware requests for\r\nconfiguration file from a C\u0026C server hxxp://webtrace[.]club/beacon as shown in the Figure 5:\r\nhttps://labs.k7computing.com/index.php/facestealer-the-rise-of-facebook-credential-stealer-malware/\r\nPage 3 of 5\n\nFigure 5: Request for Configuration file from C\u0026C Server\r\nOnce the above request is succeeded, this malware collects and POST user account, password,  cookie information\r\nto the C\u0026C server hxxp://webtrace[.]club/api_v0/udata as shown in the following Figure 6:\r\nFigure 6: POST user Credentials to C\u0026C Server\r\nMitigations\r\nAlways use the Official App Store to download apps\r\nCarefully read the user reviews before installing the apps\r\nEnsure you protect your device and data by using a reputable security product like K7 Mobile Security and\r\nkeeping it up-to-date, to scan all the downloaded apps, irrespective of the source\r\n At K7 Labs, we are constantly protecting our users with near real-time monitoring of Facestealer malware.\r\nIndicators of Compromise (IoCs)\r\nInfected Package Name on\r\nGoogle Play Store\r\nHash\r\nDetection\r\nName\r\ncom.beautyselfie.photo.camera BF63CC224C9CC17D768156EA74EE16BB\r\nTrojan (\r\n0058d3f41 )\r\nhttps://labs.k7computing.com/index.php/facestealer-the-rise-of-facebook-credential-stealer-malware/\r\nPage 4 of 5\n\ncom.oxagon.edge 0ED449F32AB9F2C8CD68F8C9D5550E1B\r\nTrojan (\r\n0058d3f51 )\r\ncom.pumpkinvpn.proxysafen CB9D2B020289B038C681D4EFDB100B0C\r\nTrojan (\r\n0001140e1 )\r\ncom.snapins.camerabeautya 2E968BB73A13D0A7C202EDC797763D2F\r\nTrojan (\r\n0058d3f41 )\r\ncom.touchvpn.proxy 00B22E3E10F2F5C0EAA40587D2E4D6D6\r\nTrojan (\r\n0056e5201\r\n)\r\ncom.artnes.story.videosplitter 78040374ADAC35EE23FF6BD959F8BDE7\r\nSpyware (\r\n0058cb9d1\r\n)\r\ncom.friendtrip.smartscanner 38A72E3B36C4B44BF22C0CE78EC668D1\r\nSpyware (\r\n0058d2c21\r\n)\r\nSource: https://labs.k7computing.com/index.php/facestealer-the-rise-of-facebook-credential-stealer-malware/\r\nhttps://labs.k7computing.com/index.php/facestealer-the-rise-of-facebook-credential-stealer-malware/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.k7computing.com/index.php/facestealer-the-rise-of-facebook-credential-stealer-malware/"
	],
	"report_names": [
		"facestealer-the-rise-of-facebook-credential-stealer-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775791277,
	"ts_updated_at": 1775826717,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a7050971d8fb70e8677ba689af7262031b1acf45.pdf",
		"text": "https://archive.orkl.eu/a7050971d8fb70e8677ba689af7262031b1acf45.txt",
		"img": "https://archive.orkl.eu/a7050971d8fb70e8677ba689af7262031b1acf45.jpg"
	}
}