{
	"id": "c768e713-7359-4785-95f7-1d79686fecda",
	"created_at": "2026-04-06T02:11:22.618323Z",
	"updated_at": "2026-04-10T03:30:33.836015Z",
	"deleted_at": null,
	"sha1_hash": "ef24bf27f3117992f6090893d966cc3c38498521",
	"title": "Fake Mobile Apps Steal Facebook Credentials, Cryptocurrency-Related Keys",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1708713,
	"plain_text": "Fake Mobile Apps Steal Facebook Credentials, Cryptocurrency-Related\r\nKeys\r\nBy Cifer Fang, Ford Qin, Zhengyu Dong ( words)\r\nPublished: 2022-05-16 · Archived: 2026-04-06 01:48:14 UTC\r\nMobile\r\nWe recently observed a number of apps on Google Play designed to perform malicious activities such as stealing user\r\ncredentials and other sensitive user information, including private keys.\r\nBy: Cifer Fang, Ford Qin, Zhengyu Dong May 16, 2022 Read time: 7 min (1944 words)\r\nSave to Folio\r\nWe recently observed a number of apps on Google Play designed to perform malicious activities such as stealing user\r\ncredentials and other sensitive user information, including private keys. Because of the number and popularity of these apps\r\n— some of them have been installed over a hundred thousand times — we decided to shed some light on what these apps\r\nactually do by focusing on some of the more notable examples.\r\nPassword-stealing Facestealer variants disguised as fitness, photo editing, and other apps\r\nThe Facestealer spyware was first documentednews article in July 2021 in a report by Dr. Web detailing how it stole\r\nFacebook credentials from users via fraudulent apps from Google Play. These stolen credentials could then be used to\r\ncompromise Facebook accounts for malicious purposes such as phishing scams, fake posts, and ad bots. Similar to Joker,\r\nanother piece of mobile malware, Facestealer changes its code frequently, thus spawning many variants. Since its discovery,\r\nthe spyware has continuously beleaguered Google Play.\r\nDuring our recent research into malicious mobile apps, we encountered more than 200 additional apps of the Facestealer\r\nspyware in the Trend Micro Mobile App Reputation Service (MARS)  database.\r\nFigure 1. The distribution of the types of apps that Facestealer disguise themselves as\r\nOne of the apps we found, named Daily Fitness OL, claims to be a fitness app, complete with exercises and video\r\ndemonstrations. But like the initial variant, it was designed to steal the Facebook credentials of its users.\r\nhttps://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-facebook-credentials--crypto-related-keys.html\r\nPage 1 of 12\n\nFigure 2. The Google Play page for Daily Fitness OL\r\nWhen the app is launched, it sends a request to hxxps://sufen168[.]space/config to download its encrypted configuration. At\r\nthe time of our analysis, the returned configuration was:\r\n`eXyJkIjowLCJleHQxIjoiNSw1LDAsMiwwIiwiZXh0MiI6IiIsImkiOjAsImlkIjoiMTE1NTYzNDk2MTkxMjE3MiIsImwiOjAsImxvZ2luX3BpY191cmxfc3dpdGNoIjo\r\nAfter decryption, the real configuration was:\r\n{\"d\":0,\"ext1\":\"5,5,0,2,0\",\"ext2\":\"\",\"i\":0,\"id\":\"1155634961912172\",\"l\":0,\"login_pic_url_switch\":0,\"lr\":\"70\"}\r\nThe “l” in the configuration is the flag used to control whether a prompt appears to ask the user to log in to Facebook. Once\r\nthe user logs in to Facebook, the app launches a WebView (an embeddable browser) to load a URL, for example,\r\nhxxps://touch[.]facebook[.]com/home[.]php?sk=h_nor, from the downloaded configuration. A piece of JavaScript code is\r\nthen injected into the loaded webpage to steal the credentials entered by the user.\r\nhttps://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-facebook-credentials--crypto-related-keys.html\r\nPage 2 of 12\n\nAfter the user successfully logs in to an account, the app collects the cookie. The spyware then encrypts all the personally\r\nidentifiable information (PII) and sends it to the remote server. The encryption key and address of the remote server are all\r\ntaken from the downloaded configuration.\r\nFigure 3. A user’s information harvested through Daily Fitness OL being uploaded to a remote server\r\nAnother fake app, named Enjoy Photo Editor, shares many similar procedures with the Daily Fitness OL app. The primary\r\nmethods of stealing credentials, in particular, are the same: harvesting credentials by injecting JavaScript code and collecting\r\ncookies after the victims successfully log in to their accounts. But this app differs by moving the downloading of the\r\nconfiguration and the uploading of victim credentials to the native code while also obfuscating the app to make it more\r\ndifficult to detect by security solutions.\r\nWe show screenshots of more Facestealer variants in the following figures. The Facestealer variants we found have already\r\nbeen taken down by Google from Google Play as of this writing.\r\nFigure 4. The Google Play page for Enjoy Photo Editor\r\nhttps://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-facebook-credentials--crypto-related-keys.html\r\nPage 3 of 12\n\nFigure 5. The Google Play page for Panorama Camera\r\nFigure 6. The Google Play page for Photo Gaming Puzzle\r\nhttps://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-facebook-credentials--crypto-related-keys.html\r\nPage 4 of 12\n\nFigure 7. The Google Play page for Swarm Photo\r\nFigure 8. The Google Play page for Business Meta Manager\r\nFake cryptocurrency miner apps that collect private keys and mnemonic phrases\r\nWe also found more than 40 fake cryptocurrency miner apps that are variants of similar apps that we covered in a previous\r\nblog entry. These apps are designed to deceive users into buying paid services or clicking on ads by luring them in with the\r\nprospect of bogus cryptocurrency earnings.\r\nInitially, after running tests on one of these new variants, named “Cryptomining Farm Your own Coin,” on our test device,\r\nwe did not detect any advertisements and requests for sensitive information or payment. However, upon clicking the\r\n“Connect Wallet” button in the app, we were prompted to enter a private key (a digital signature used with an algorithm to\r\nencrypt and decrypt data), which was enough of a red flag that we decided to look into the app further.\r\nhttps://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-facebook-credentials--crypto-related-keys.html\r\nPage 5 of 12\n\nFigure 9. The Google Play page for Cryptomining Farm Your own Coin\r\nOur investigation into the app’s manifest file revealed that it was developed using Kodular, a free online suite for mobile app\r\ndevelopment. In fact, most of the fake cryptocurrency miner apps we previously analyzed were also developed using the\r\nsame framework.\r\nFigure 10. A code snippet from the manifest file of Cryptomining Farm Your own Coin indicating that the app\r\nwas developed using Kodular\r\nUpon checking the code, we found that this app only loaded a website. And without any code to simulate mining, there was\r\nno way to determine if the app was actually malicious. However, we decided to dig deeper, starting with the URL of the\r\nloaded site.\r\nFigure 11. A snippet from the code of Cryptomining Farm Your own Coin showing the app wrapper used for\r\nthe URL of the loaded website\r\nhttps://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-facebook-credentials--crypto-related-keys.html\r\nPage 6 of 12\n\nFigure 12. The mobile version of the website loaded from Cryptomining Farm Your own Coin\r\nTo facilitate further analysis, we tried opening this URL on a desktop web browser. At first glance, the loaded website\r\nappears to be quite professionally done. It notifies users that they can participate in cloud-based cryptocurrency mining\r\nwithout any deposits. It also promises 500 gigahashes per second (Gh/s) computing power to users free of charge after they\r\nconnect an active wallet.\r\nFigure 13. The desktop version of the website loaded from Cryptomining Farm Your own Coin\r\nThe wallet connection page of the website assures users that their data will be encrypted with AES (Advanced Encryption\r\nStandard) and their private keys will not be stored.\r\nFigure 14. The wallet connection page of the website loaded from Cryptomining Farm Your own Coin,\r\nincluding assurances that users’ data will be encrypted and private keys will not be stored\r\nWe entered a number of arbitrary private key strings for testing in the “Import by Currency” tab, and the results of the packet\r\ncapture analysis told us that the stated claims were false: The site not only uploaded an entered private key, but it also did so\r\nwithout any encryption.\r\nhttps://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-facebook-credentials--crypto-related-keys.html\r\nPage 7 of 12\n\nFigure 15. A test private key being sent to the server controlled by the malicious actors behind Cryptomining\r\nFarm Your own Coin\r\nIn addition to private keys, this site also steals mnemonic phrases (series of unrelated words that are generated when a\r\ncryptocurrency wallet is created). These are typically used to recover cryptocurrency in case the user’s wallet is lost or\r\ndamaged. In the case of fake apps such as Cryptomining Farm Your own Coin or website such as the one loaded from this\r\napp, an entered mnemonic phrase is sent directly to the malicious actors behind the app or website in question and is\r\nuploaded in clear text to their server. This procedure is similar to the fake cryptocurrency wallet app schemenews article we\r\ndiscussed in a previous blog entry.\r\nFigure 16. A mnemonic phrase being sent to the server controlled by the malicious actors behind\r\nCryptomining Farm Your own Coin\r\nWe located the code in the upload section of the app and confirmed that the site indeed uploads plain-text private keys or\r\nmnemonic phrases to the server controlled by the operators of the app.  \r\nhttps://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-facebook-credentials--crypto-related-keys.html\r\nPage 8 of 12\n\nFigure 17. A snippet from the code of behind Cryptomining Farm Your own Coin showing private keys or\r\nmnemonic phrases being sent sans encryption to the server controlled by the malicious actors behind the app\r\nTo lure users into signing up for the service, the site uses an airdrop for 0.1 ether (approximately US$240 at the time of this\r\nwriting) as a bait. The claim details of the airdrop cleverly state that a wallet can be claimed only once (so that a user has to\r\nbind multiple wallets) and the wallet must have more than US$100 (so that the malicious actors behind the app have\r\nsomething to steal).\r\nFigure 18. An airdrop for 0.1 ether used by Cryptomining Farm Your own Coin to lure users into signing up\r\nfor the app’s supposed service\r\nTo generate an air of legitimacy, the page is populated with likely fake comments by users mentioning that they successfully\r\nclaimed their 0.1 ether. \r\nhttps://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-facebook-credentials--crypto-related-keys.html\r\nPage 9 of 12\n\nFigure 19. Likely fake comments found on the website loaded from Cryptomining Farm Your own Coin\r\nvouching for the legitimacy of the promised airdrop for 0.1 ether\r\nInterestingly, upon checking the code showing the alleged creator of the webpage (seemingly mimicking the cryptocurrency\r\nwallet ecosystem Klever), we found a hyperlink in the code that turned out to be the Twitter account of Elon Musk, the\r\nfounder and CEO of Tesla, who is a well-known cryptocurrency investor.\r\nFigure 20. A link to Elon Musk’s Twitter account found in the code of the website loaded from Cryptomining\r\nFarm Your own Coin\r\nThis app has already been taken down by Google as of the time of writing.\r\nConclusion and recommendations\r\nFacestealer apps are disguised as simple tools — such as virtual private network (VPN), camera, photo editing, and fitness\r\napps — making them attractive lures to people who use these types of apps. Because of how Facebook runs its cookie\r\nmanagement policy, we feel that these types of apps will continue to plague Google Play.\r\nAs for the fake cryptocurrency miner apps, their operators not only try to profit from their victims by duping them into\r\nbuying fake cloud-based cryptocurrency-mining services, but they also try to harvest private keys and other sensitive\r\ncryptocurrency-related information from users who are interested in what they offer. Looking into the future, we believe that\r\nother methods of stealing private keys and mnemonic phrases are likely to appear.\r\nUsers can avoid such fake apps by checking their reviews, especially the negatives ones, to see if there are any unusual\r\nconcerns or experiences from actual users who have downloaded the apps. Users should also apply due diligence to the\r\ndevelopers and publishers of these apps, so that they can better avoid apps with dodgy websites or sketchy publishers,\r\nespecially given the number of alternatives on the app store. Finally, users should avoid downloading apps from third-party\r\nsources, since these are where many malicious actors host their fraudulent apps.\r\nMobile users can help minimize the threats posed by these fraudulent apps through the use of Trend Micro Mobile Security\r\nSolutions, which scan mobile devices in real time and on demand to detect malicious apps or malware to block or delete\r\nthem. These apps are available on both Android and iOS.\r\nIndicators of compromise (IOCs)\r\nFacestealer\r\nhttps://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-facebook-credentials--crypto-related-keys.html\r\nPage 10 of 12\n\nSHA-256 Package name Detection name\r\n7ea4757b71680797cbce66a8ec922484fc25f87814cc4f811e70ceb723bfd0fc com.olfitness.android AndroidOS_FaceStealer.HRXH\r\nb7fe6ec868fedaf37791cf7f1fc1656b4df7cd511b634850b890b333a9b81b9d com.editor.xinphoto AndroidOS_FaceStealer.HRXF\r\n40580a84b5c1b0526973f12d84e46018ea4889978a19fcdcde947de5b2033cff com.sensitivity.swarmphoto AndroidOS_FaceStealer.HRXE\r\n6ccd0c0302cda02566301ae51f8da4935c02664169ad0ead4ee07fa6b2f99112 com.meta.adsformeta3 AndroidOS_FaceStealer.HRXG\r\n4464b2de7b877c9ff0e4c904e9256b302c9bd74abc5c8dacb6e4469498c64691 com.photo.panoramacamera AndroidOS_FaceStealer.HRXF\r\n3325488a8df69a92be92eb11bf01ab4c9b612c5307d615e72c07a4d859675e3f com.photo.move AndroidOS_FaceStealer.HRXF\r\nFake cryptocurrency miners\r\nSHA-256 Package name Detection name\r\n3d3761c2155f7cabee8533689f473e59d49515323e12e9242553a0bd5e7cffa9\r\n7c76bff97048773d4cda8faacaa9c2248e594942cc492ffbd393ed8553d27e43\r\nc56615acac1a0df1830730fe791bb6f068670d27017f708061119cb3a49d6ff5\r\napp.cryptomining.work AndroidOS_FakeMinerStealer\r\nMITRE ATT\u0026CK Tactics and Techniques\r\nTactic\r\nTechnique\r\nID\r\nTechnique name Description\r\nInitial\r\nAccess\r\nT1475\r\nDeliver Malicious\r\nApp via Authorized\r\nApp Store\r\nThe Facestealer and fake cryptocurrency miner apps are\r\ndistributed via Google Play.\r\nCredential\r\nAccess\r\nT1411 Input Prompt\r\nThe Facestealer apps intercept password during user Facebook\r\nlogin through WebView. The fake cryptocurrency miner apps\r\nrequest private key under the guise of connecting to the\r\nvictim’s account.\r\nCollection T1533\r\nData from Local\r\nSystem\r\nThe apps collect cookies from WebView.\r\nhttps://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-facebook-credentials--crypto-related-keys.html\r\nPage 11 of 12\n\nExfiltration T1437\r\nStandard Application\r\nLayer Protocol\r\nMalicious code exfiltrates credentials over standard HTTP or\r\nHTTPS.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-facebook-credentials--crypto-related-keys.html\r\nhttps://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-facebook-credentials--crypto-related-keys.html\r\nPage 12 of 12\n\nhttps://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-facebook-credentials--crypto-related-keys.html  \nFigure 5. The Google Play page for Panorama Camera\nFigure 6. The Google Play page for Photo Gaming Puzzle\n  Page 4 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-facebook-credentials--crypto-related-keys.html"
	],
	"report_names": [
		"fake-mobile-apps-steal-facebook-credentials--crypto-related-keys.html"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775441482,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ef24bf27f3117992f6090893d966cc3c38498521.pdf",
		"text": "https://archive.orkl.eu/ef24bf27f3117992f6090893d966cc3c38498521.txt",
		"img": "https://archive.orkl.eu/ef24bf27f3117992f6090893d966cc3c38498521.jpg"
	}
}