Facestealer Trojan from Google Play Store app 'Craftsart Cartoon Photo Tools' steals Facebook credentials

[German]Security researchers from Pradeo have discovered an Android app Craftsart Cartoon Photo Tools in the Google Play Store. It is infected with the well-known Facestealer Trojan and 100,000 people have downloaded the app onto their devices. The Trojan steals Facebook credentials in a fairly trivial way.


I  came across the issue via various articles [1] on security sites. The following tweet sums up the whole thing in a screenshot and a short text.

Facestealer trojan

There was an Android app with the process name com.craftstoon.cartoonphoto in the official Google Play Store (now removed, but possibly still downloadable in alternative stores) that was installed by over 100,000 users. The app promised to transfer photos into a cartoon, which was probably quite tempting for many users.

The app simply presented people with a Facebook login page when it started – and then waited for the victims to enter their Facebook login details. Then these credentials or the access token were transferred to a C&C server and the backers then had access to the Facebook account in question.


The security researchers at Pradeo have published their findings in this blog post. The app tracked down by the security researchers in the Google Play Store was installed with an embedded Android Trojan called Facestealer. The Trojan used social engineering to steal the victim's Facebook credentials and connect to a Russian server. The perpetrators using the spyware then have full access to the victim's Facebook accounts and all the data contained therein – and can also post, comment and share their own posts via these accounts. 

The Trojan has been known for some time, according to this Malwarebytes post, and is said to be removable by uninstalling it via the Android app settings page. The security researchers have informed the Google Play team about their discovery and advise users of this app to uninstall it immediately. Furthermore, the Facebook access data should be changed immediately – and it is recommended to log out and log in again to the Facebook account. Furthermore, the Android device should be checked for malware with a security app.

Cookies helps to fund this blog: Cookie settings


This entry was posted in Security and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *