[REVIEW] : Android: Google deletes a malicious application downloaded 100,000 times

Google removed an app that had more than 100,000 downloads from its Play Store after security researchers reported that the app in question was capable of harvesting users’ Facebook credentials.

Researchers from French mobile security company Pradeo said the app contained a malicious Trojan known as “Facestealer”. This encourages its future victims to enter their Facebook identifiers on a web page, before it transmits them to the server of the group of pirates, located on a domain registered in Russia. “Our research shows that this domain has been used for seven years, intermittently, and that it has been connected to multiple mobile applications which were available on Google Play for a while and then deleted”, argue the French researchers.

If a user adds their credentials, the creators of the Android app can then have full access to victims’ Facebook accounts, including payment information linked to the account, as well as users’ conversations and searches. , Pradeo researchers say. “The app mimics the behavior of legitimate photo editing apps. In fact, it was injected with a small piece of code that easily slips under the radar of store saves,” the French company says in a blog post.

An application downloaded 100,000 times

The application, dubbed “Craftsart Cartoon Photo Tools”, has until now presented itself as a tool allowing its users to “transform amazing images from real cameras into paintings and cartoons” thanks to an advanced artificial intelligence. powered by machine learning. “To reach a wide audience and conceal its illegal activities, it mimics the behaviors of popular photo editing apps. In reality, it was injected with short lines of code that easily go unnoticed during store security checks,” Pradeo teams explain.

“We have alerted the Google Play team of our discovery and we advise users of this application to delete it immediately”, specify the latter.

Still, the facade didn’t take long to be questioned by users themselves, who had detected issues with the app and criticized it accordingly, validating the importance for users to always read the reviews before installing an application.

The Play Store is not immune

“Totally false. The way the publicity was done seems helpful. Then check out just a few filter effects for any photo,” one app user wrote in March. “No caricatures anywhere. Don’t download,” another user criticized. Once users open the fake photo-editing app, it opens a Facebook login page that asks them to identify themselves before they can use the app. The credentials are then passed to the application owner’s server.

While Google encourages Android users to only install apps from its app store, research has already shown that malicious apps can find their way everywhere, including to the Google Play store.

This is not the first time that Pradeo has spotted malicious applications. In December, the French company had already sounded the alarm about the Joker malware, distributed on the Play Store and installed by more than 500,000 users. This malicious application attempted to scam users by offering premium mobile services and unwanted advertisements.

Play Store: quickly uninstall this malicious app downloaded more than 100,000 times

Unfortunately, unearthing malicious applications on the Google Play Store has become commonplace. Fortunately, they are not in the majority, but the risk exists. The latest finding from Pradeo security researchers – explained via a blog post – is further proof of this.

These experts have unearthed an infected application by the name of Craftsart Cartoon Photo Tools, which is primarily used to download an image to apply a cartoon-type filter to it. Problem: this app, downloaded more than 100,000 times, is able to steal your Facebook credentials.


Like many apps today, Craftsart Cartoon Photo Tools requires you to log in to your Facebook account to access its features. This is where the magic of hackers operates: the Facebook login page is actually fake and skilfully well imitated by hackers.

In addition, a small piece of code has been entered so that it goes unnoticed vis-à-vis the protections of Google Play. It is therefore this code that allows them to collect the identification information. In short, the whole process seems to have been cleverly and underhandedly automated.

Still available on the Play Store as of March 21, according to several English-language media such as Bleeping Computer, the editing application has since been removed from Google’s application store. But it helps to draw everyone’s attention to the reliability of certain apps. However, remember to uninstall it if you are one of the victims.


To better arm yourself against this kind of mishap, remember to look at the rating and comments of an application in case of slight doubt. To go further, you can also do a Google search on it or check if the contact details of the developer are consistent right after downloading, directly in the “Developer contact details” section.

If you have this application on your mobile, you must remove it as soon as possible: it can steal your Facebook account

Craftsart Cartoon Photo Tools is not what it claims to be, so be careful with those apps that as soon as you open them ask you to connect to your social networks or other services.

It seems like the malware has bounced back a bit lately, surely with the convulsive situation that exists on a global scale as an explanation and with the Internet as a very important point of attack and/or misinformation, which has led us to see malicious applications such as Escobar and RedLine , capable of bypass two-step verification and even hiding in YouTube videos.

Today we have another Dangerous apps that appear cyclically on Google Playand the fact is that the colleagues from Pradeo have discovered that a totally harmless application like Craftsart Cartoon Photo Tools, really hides inside a Spyware named Facestealer who is able to rob us facebook identifiers in a simple and almost transparent way for us.

We are not talking about a minor problem, because the truth is that Craftsart Cartoon Photo Tools currently has more than 100,000 downloads on Google Playand a simple trick in its interface which consists of using social engineering techniques to obtain our Facebook credentials, then establish connections with a Russian server send the obtained data.

In order for you to identify it correctly, app data on google play are the following:

  • Craftsart cartoon photo tools

According to the discoverers themselves, the good part is that Google is already aware of the casebut the bad news is that out of those 100,000 users, a huge percentage have probably been hacked without realizing it, and still more will be in those hours or days it takes to remove Mountain View store app. For the moment, of course, it is still available…

This application downloaded more than 100,000 times steals all your passwords, uninstall it as soon as possible

Android malware, dubbed Facestealer, is rampant on the Play store and has the unpleasant defect of taking over the account Facebook of his victims.

Spyware, named Facestealer, has been discovered by several companies specializing in computer security in recent days, such as Pradeo or Malwarebytes Labs, after being installed by more than 100,000 users who fell into the trap while using the Google Play Store. . The malware uses social engineering to compromise users’ Facebook accounts. Let’s see what it is in detail.

Hackers were using a fake Facebook login screen to access the account from the fraudulent app

Distributed on Android via the Play Store, the Facestealer malware (code name Android/Trojan.Spy.Facestealer) was originally presented as a banal cartoon-type application, called “Craftsat Cartoon Photo Tools”, whose principle is simple: the user uploads an image or a photo, and the application is responsible for converting it into a cartoon image. A real trend among mobile users, which hackers do not hesitate to exploit.

As is often the case when you use a mobile application, it asks you to link your Facebook account to it, for example to obtain certain advantages. Sometimes it is mandatory to link the Facebook account to the application. This is when the malware does its thing. Except that the Facebook login page does not really come from the social network, but from hackers, who use a larger than life Facebook login screen to steal the user’s username and password.

So why take possession of the Facebook account(s) of the victims? Hackers use these accounts in different ways. They may send phishing links, spread false information using legitimate accounts, or commit fraud and other financial scams. In addition to the Facebook account, the hackers also seize elements such as the IP address of the device used by the victim, but also the information related to the credit card (if they have been entered), all the conversations, research and others.