FaceStealer Description

FaceStealer is an infostealer Trojan that targets Android devices specifically. The goal of the cybercriminals spreading the threat is to obtain the Facebook account and login credentials of their victims. The collected accounts can then be exploited in various, different ways, such as further dissemination of malware threats, advertising dubious content, being part of disinformation campaigns and more.

The FaceStealer threat spreads via weaponized applications disguised as popular Android software products. So far, infosec researchers have identified 26 targeted applications belonging to various categories, such as horoscopes, application lockers, VPNs, photography, etc. 

Once installed and executed, the downloaded threatening program will display a window from the original and legitimate application to avoid alerting the user to its true intentions. This initial window will then redirect to a login page that asks users to sign in using their Facebook credentials to access the application's functionality.

The shown page is the legitimate Facebook login page with the additional inclusion of a corrupted JavaScript code. The injected code is tasked with recording all of the entered information - email addresses, phone numbers, passwords) and sending the details to the cybercriminals. FaceStealer also tries to gather private user-agent or cookie data.