Android users: Avoid and delete this app – it’s stealing passwords
Uninstall ‘Craftsart Cartoon Photo Tools’ if you downloaded it
Android users downloaded ‘Craftsart Cartoon Photo Tools’ over 100,000 times before Google took it off the Play Store.
Found by security researchers at Pradeo, the app has a nasty trojan dubbed ‘FaceStealer.’
The malware tricks you into putting your Facebook login details in, then sends those credentials to a Russian-based server. Yikes.
Your Facebook details aren’t the only thing it wants.
The app can also siphon credit card details, conversations, searches, or almost anything the attacker can take.
Photo editing apps that cartoonize images are a hot category. Most apps let you use them before logging into an account, but not here.
This credential-stealing malware won’t let you use the actual app without entering your Facebook details.
Why does it need your Facebook login?
BleepingComputer notes that “users have become numb to these login prompts.”
I mean, how many apps want you to use Facebook to log in? It’s an option for many, even if it’s not necessary.
Their report also has some good tips for vetting unknown apps, which we’ll summarize, as all of these points should be considered when downloading apps from unknown developers.
First, check the app’s reviews. If it has a low score or reviews like “doesn’t function” or “totally fake,” it’s not worth downloading.
Next, check the developer’s name.
Here, it’s “Google Commerce Ltd” with a random Gmail address as the developer contact. This should be a red flag on its own.
If there’s a link to the developer’s page, visit it and see if things match the Google Play listing. Any mismatches should be another red flag.
Last, you can always try emailing the developer’s contacts.
Any email that bounces back is the final red flag. No active, trustworthy developer would have a dead email.
With that said, if you have the Craftsart Cartoon Photo Tools app installed on your device, we suggest removing it from your device.
Then, reset your Facebook password, and consider adding two-factor authentication if you don’t already. It never hurts.
- Android 13: News, features, rumors, leaks, release date, and everything we know so far
- An Android app with 100 million downloads was pulled for spreading malware
- Google now lets you delete the last 15 mins of your search history
- Google Docs now lets you write Gmail messages with others