GhostTeam: Beware Of This Facebook Hacking Malware !
Anonymity & Security Malware, RATs & Keyloggers

GhostTeam: Beware Of This Facebook Hacking Malware !

Very recently, a new malware has been detected that was pretending to be a legitimate app but it actually steals your Facebook passwords and then flood your screen with ads. This dangerous hacking app for Facebook has been named GhostTeam. So this is not an app, in fact a Facebook hacking malware! Yeah, you heard right.

The app actually tricks users to install it. According to the security researchers at Trend Micro, this Android malware has been present in 53 different apps and one of these apps was downloaded more than 100,000 times. It has primarily affected the users in Indonesia, Brazil and India. The surprising thing is that it was present on Google Play store since April 2017. This means the app may be on its way to target US-based customers too. It is suspected that GhostTeam is developed or uploaded to the Play Store by a Vietnamese developer, since the language in which the code is released, is in Vietnamese language.

How does this Facebook hacking malware work?!

GhostTeam steals the Facebook credentials of the user. Why it does that is still unknown. Some security experts say that it could be building a zombie social media army for spreading fake news article or maybe developing a crypto mining malware. As this malware pushes full-screen ads onto the infective devices so, it’s likely doing this to generate click revenue. Generally, seeing advertisements from apps is not inherently bad, but it can become a problem if they are intrusive or they seek unnecessary information. Such ads can become a doorway for another malware too.

ghostteam fb malware

GhostTeam was found hiding behind social media video downloaders, utility apps, QR scanners and flashlight apps in the Google Play store. These apps don’t contain the GhostTeam malware itself, rather the malware uses multi-stage attack for hiding its payload. This hacking app for Facebook has its own way of getting in your phone, which is pretty unique. It lands on your phone when you download a clean app and then it starts infecting your device. Many security experts have been puzzled by the way with which this app steals the Facebook credentials. The malware does not display any fake login screen on top of your original Facebook app. Instead, it steals your credentials from the actual Facebook login page. When the user tries to open his real Facebook app, this malware opens the login page inside a native Android headless browser component. Malware like these have portable browsers which developers smartly embed inside the app, allowing the developer to have full control. Hence why it is easy for GhostTeam to steal the Facebook passwords of users and then bombard them with instructive ads.

fb malware ghostteam

So here is how it all begins. Once the app verifies your device is real, it retrieves the payload which disguises itself as Google Play Services, pretending to verify the app. If you open Google Play or Facebook, it will display an alert that you may be the victim to installing fake Google Play Services. If you install it, the payload will prompt you to activate or enable the Device Administrator. After this, when you open your Facebook account, a dialogue box will open up, asking you to verify your account. You consider it normal, but behind the screen, a WebView is executed where malicious code is injected to steal your email address and password. Once the data is collected, it is sent to the remote server of the malware which is, of course, under the control of GhostTeam.ghostteam

Many people have started comparingGhostTeam to a Facebook spying app. It is a malware and it is different fromspying apps. The spying apps are basically meant to monitor someone’s Facebook conversations. Xnspy is one such famous Facebook spying app but it’s not downloaded on a phone through another app. Instead, you have to manually install it on the device that you want to monitor.Then, you are provided with a web account that lets you monitor the Facebook messages of another phone.

How to tell if your Facebook account is in danger?

If you had downloaded a random program from Google Play Store or a third party website, your Facebook account might be in danger. If you see annoying displays on your phone, it’s an indication that GhostTeam malware is now working on your device. It will flood your device with unwanted promotional content.

To make sure that suspicious sources haven’t stolen your Facebook credentials, it is recommended to regularly check your activity log. If a hacker is using your account, he is probably secretly liking posts or websites. Chances are some disturbing content is posted on your timeline so don’t forget to check that too. It is recommended to change the password to your Facebook account to stay safe.

How to stay safe from GhostTeam?

There are ways you can protect your device from getting affected by GhostTeam. Here are some of them:

Make sure you have a reliable antivirus application installed on your Android device.

Before downloading any app on your phone, have a look at the reviews. The comments and ratings of the app will also give a good idea about its legitimacy.

Keep your device updated. Whenever a new version of OS is launched, it comes with new security patches. Updating the OS removes all malware even a Facebook spying app from your device.

If you suspect that your device has been infected by this malware, you can mitigate the risk by disabling your Device Administrator Permissions by going in the phone’s Settings

Enable a two-factor authentication for your Facebook account.  It is best if you enable it on all your social media accounts.

The good news is that Google Play has immediately taken action. The names of the apps that were affected by this malware are out and they have been removed from Play store.Google Play Protect has been updated about this malware attack too. If you accidentally installed any app containing this malware on your device, take the measures listed above and make sure your Google Play Protect is enabled.

The following two tabs change content below.

Anuj Mishra

Admin, Founder & Chief Editor at HackeRoyale
Engineer. Blogger. Ethical hacker. Penetration Tester. Deep Webbie. Bug hunter. Security Analyst. Web Developer. Techie. Programmer. Foodie. Music Lover. Traveller. Enthusiast.

Comment Now !