GooglePlay removes malware that steals Facebook credentials

Jamf Threat Labs researchers investigated an Android app (that has since been removed from Google Play on March 22) that was capable of stealing Facebook login credentials (username and password) from users. The app is called Craftsart Cartoon Tools and it was also reported by researchers at Pradeo.

April 8 2022 by

Jamf Threat Labs

Malware asking for a user's credentials

By using open source intelligence (OSINT) data, our researchers were able to identify other apps with ties to Craftsart Cartoon Tools. (See ‘related samples’ below)

No counterparts were found in Apple's App Store.

Impact

At the time of discovery, the app had 100,000+ installs on Google Play.

One of the two related apps discovered by our researchers had 100,000+ installs on Google Play. This app has also since been removed from Google Play.

Functionality

Login screen that reads: login to experience the full function of the application | Continue with Facebook [Facebook icon]

Upon start, the app provides the user with a Facebook login prompt (pictured below) that states “login to experience the full function of the application," which leads the user to believe Facebook login is required for authentication.

Clicking on the “continue with Facebook” button redirects the user to what appears to be a legitimate Facebook login page.

After login, the app sends the user’s credentials in encrypted form to a command and control (C&C) server.

Code from Craftsart Cartoon Tools malwear showing encrypted credentials and an encryption key

Related samples

The reported app seemed to be the only one on Google Play at the time of research, but there are several ties to other similar apps.

Apps communicating with same domains

Craftsart Cartoon Tools app communicates with two domains:

  • www.dozenorms.club
  • zatuu.info

Using OSINT sources our researchers were able to identify two other apps communicating with these domains. The fact these apps contain these domains in their code suggests they may also be dangerous. Though malicious functionality is not confirmed.

  • com.fabiomancini.cartoonpainteffect (removed from Google Play)
    • Claims to provide similar functionality as Craftsart Cartoon Tools.
    • The app did not function at all, only showed a blank screen.
  • com.xonasounds.relaxing (not present in Google Play)
    • communicates with www.dozenorms.club

Apps with relation to malicious payload

The Craftsart Cartoon Tools app contains an encrypted payload. The payload after decryption is actually another APK that is responsible for sending stolen data to the C&C server.

Decrypted APK is 976f68632dbdce7f883c1edcd438060416db64fac7f26f5ad5c2211aa87d9853 and has package name com.craftstoon.cartoonphoto.ppk.

This malicious payload is signed by app signing certificate fad32bf007d006b6bf3b9e5d4c5f1dd8176a159d.

The same certificate was used to sign another app with similar functionality com.georgebowman.cartooneffect.photoeditor. This app is not present in Google Play anymore, but from OSINT data, we can conclude that it once was.

Indicators of Compromise

Malicious app samples

  • com.craftstoon.cartoonphoto
  • com.fabiomancini.cartoonpainteffect
    Communicates with www.dozenorms.club
  • com.xonasounds.relaxing
    Communicates with www.dozenorms.club
  • com.georgebowman.cartooneffect.photoeditor
    Signed by fad32bf007d006b6bf3b9e5d4c5f1dd8176a159d
  • 976f68632dbdce7f883c1edcd438060416db64fac7f26f5ad5c2211aa87d9853
    Malicious payload embedded in com.craftstoon.cartoonphoto

Malicious C&C samples

  • dozenorms.club
    Embedded and contacted by samples
  • zatuu.info
    C&C for credentials exfiltration

Misc

Signing certificate of the embedded malicious payload: fad32bf007d006b6bf3b9e5d4c5f1dd8176a159d

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.