{
	"id": "e1f33abc-6dfc-41f5-a7fe-101a6c9af6ea",
	"created_at": "2026-04-06T02:11:04.674392Z",
	"updated_at": "2026-04-10T13:12:56.095811Z",
	"deleted_at": null,
	"sha1_hash": "c9293e3b9e60d564a2cb7b87f701e0dc1283825a",
	"title": "Facestealer Trojan Hidden in Google Play Plunders Facebook Accounts",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 202390,
	"plain_text": "Facestealer Trojan Hidden in Google Play Plunders Facebook\r\nAccounts\r\nBy Tara Seals\r\nPublished: 2022-03-21 · Archived: 2026-04-06 01:38:43 UTC\r\nThe trojanized Craftsart Cartoon Photo Tools app is available in the official Android app store, but it’s actually\r\nspyware capable of stealing any and all information from victims’ social-media accounts.\r\nA popular mobile app in the official Google Play store called “Craftsart Cartoon Photo Tools” has racked up more\r\nthan 100,000 installs – but unfortunately for the app’s enthusiasts, it contains a version of the Facestealer Android\r\nmalware.\r\nThat’s according to researchers at Pradeo, who said the app performs somewhat as promised, pretending to be a\r\nlegitimate photo editing tool. Specifically, it claims to allow users to convert photos into cartoon or “painting”-\r\nstyle versions using a few different filters. However, behind this mask lies a “small piece of [malicious] code that\r\neasily slips under the radar of store’s safeguards,” they explained.\r\nFacestealer is a known Android threat that has made its way into Google Play in the past via trojanized apps.\r\nAccording to past Malwarebytes analysis, when the application is first launched, it guides the user to the\r\nlegitimate main Facebook login page and asks users to log in before they can use the app. Then, “injected\r\nmalicious JavaScript steals the login credentials and sends them to a command-and-control server,” according to\r\nthe firm. “The C2 server makes use of login credentials to authorize access to the [account].”\r\nSplash page for the Craftsart Cartoon Photo Tools app, from Google Play.\r\nhttps://threatpost.com/facestealer-trojan-google-play-facebook/179015/\r\nPage 1 of 3\n\nFrom there, the trojan is off to the data-stealing races: It lifts information from victims’ Facebook accounts,\r\nincluding email addresses and IP addresses, phone numbers, conversations and messaging histories, credit-card\r\ndetails, friend lists and more.\r\n“When your login credentials for a social-media account have been stolen this can have serious consequences,”\r\nexplained Pradeo researchers, in a Monday writeup. “It gives threat actors a base from which to gather more\r\ninformation.” They added, “Facebook credentials are used by cybercriminals to compromise accounts in multiple\r\nways, the most common being to commit financial fraud, send phishing links and spread fake news.”\r\nA Pradeo analysis of Craftsart Cartoon Photo Tools found that the app makes connections to a Russian-registered\r\ndomain that has been used for at least seven years as the command-and-control (C2) address for various malicious\r\nAndroid apps.\r\n“[The domain] is connected to multiple malicious mobile applications that were at some points available on\r\nGoogle Play and later deleted,” they explained. “To maintain a presence on Google Play, repackaging mobile apps\r\nis common practice for cybercriminals. Sometimes, we even observed cases in which repackaging was entirely\r\nautomated.”\r\nPradeo researchers said they alerted the Google Play team about the app, but as of Monday, it was still available in\r\nthe official store. Obviously, users should delete the app immediately from their phones.\r\nAvoiding Google Play Malware\r\nKaspersky, in a February posting, noted that malware was increasingly popping up in Google Play, using the same\r\ntactic that Craftsart Cartoon Photo Tools uses.\r\n“The most common way to sneak malware onto Google Play is for a trojan to mimic a legitimate app already\r\npublished on the site (for example, a photo editor or a VPN service) with the addition of a small piece of code to\r\ndecrypt and launch a payload from the trojan’s body or download it from the attackers’ server,” researchers\r\nexplained. “Often, to complicate dynamic analysis, unpacking actions are performed through commands from the\r\nattackers’ server and in several steps: each decrypted module contains the address of the next one, plus\r\ninstructions for decrypting it.”\r\nUser should thus always be wary of any app with warning signs. In this current case, even though the app has\r\nmanaged to attract a large number of installs, there are definite red flags in the reviews.\r\nSome users flagged the forced Facebook login, commenting that it must be “some kind of phishing.” Others\r\ncomments included, “fake fake fake” and “very very very bad app,” which sum up the overall reactions of\r\nreviewers. Also, some noted that the functionality the app claims to have is limited or nonexistent – always a sign\r\nto stay away.\r\nIn all, Craftsart Cartoon Photo Tools has a 2.1-star rating, with the majority of the reviews being one-star\r\nassessments, balanced out by a handful of obviously fake five-star reviews. There are no two-, three- or four-star\r\nratings, which is clearly telling.\r\nhttps://threatpost.com/facestealer-trojan-google-play-facebook/179015/\r\nPage 2 of 3\n\nMoving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your\r\nassets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore\r\norganizations’ top risks and challenges, best practices for defense, and advice for security success in such a\r\ndynamic computing environment, including handy checklists.\r\nSource: https://threatpost.com/facestealer-trojan-google-play-facebook/179015/\r\nhttps://threatpost.com/facestealer-trojan-google-play-facebook/179015/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://threatpost.com/facestealer-trojan-google-play-facebook/179015/"
	],
	"report_names": [
		"179015"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775441464,
	"ts_updated_at": 1775826776,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c9293e3b9e60d564a2cb7b87f701e0dc1283825a.pdf",
		"text": "https://archive.orkl.eu/c9293e3b9e60d564a2cb7b87f701e0dc1283825a.txt",
		"img": "https://archive.orkl.eu/c9293e3b9e60d564a2cb7b87f701e0dc1283825a.jpg"
	}
}