Creepy-sounding Facestealer spyware found inside cartoon app with 100,000 Play Store downloads

Android Police

By Steve Huff

Published Mar 23, 2022

It doesn't literally steal your face — but it's still bad

Kids and apps can be a dangerous combination, as any parent who's discovered a mountain of IAP charges on their account can attest to. And while new tools and safeguards are always becoming available, so too do threats constantly evolve. The innocent-sounding Craftsart Cartoon Photo Tools app was listed on the Play Store for all ages, and while it may have promised harmless fun, it turns out to have been hiding a Facebook credential-stealing Android trojan with a creeptastic name: Facestealer.

Researchers at the French cybersecurity firm Pradeo report that the application was downloaded more than 100,000 times before Google removed it from the Play Store on March 22. It probably passed muster in the first place because it worked like similar-looking, genuine photo editing apps — but concealed malicious functions in a small bit of easily-missed code. Once the victim had Craftsart Cartoon Photo Tools (archived link) on their phone, it would request Facebook login credentials. That might not sound unusual to a user, so the unwary could then enter their information only to have it funneled back to a Russian server, giving the Android app's operators access to Facebook accounts and any of the vital information so many users have linked to their profiles, like credit or debit card numbers.

Facebook login credentials can also be a moneymaker for cybercriminals selling them on the dark web. With stolen FB info it's not too hard to commit all vareity of fraud, start distributing phishing lures, or just churn out propaganda on behalf of the highest bidder. Despite the relatively high number of downloads, it doesn't seem like the app worked well enough to hide that it was seriously flawed. Reviewers showered it with one-star ratings prior to its removal, commenting with warnings that it was fake, barely functional, or didn't work at all.

If you have the app, delete it immediately and make sure to change your Facebook password. Consider a full factory reset for your phone, as well, and stay wary — hiding malware and spyware inside innocent-looking apps grows more common all the time, and it's not always easy to spot the apps behind these attacks.