article featured image


The Google Play Store has seen over 100,000 downloads of malicious Android software that performs Facebook credentials theft. It seems that the application is still available for download.

Android Password Stealing Malware Poses as Cartoonifier App

The discovered malware poses as “Craftsart Cartoon Photo Tool” which is a cartoonifier software that permits users to upload a photograph and then change it into a cartoon rendering.

The Android app has a trojan named ‘FaceStealer,’ which shows a Facebook login page and demands users to register in before accessing the program, according to security researchers and mobile security company Pradeo that published a report on this topic.

As soon as the application is launched by users, a Facebook login page is opened and they cannot use the application if they do not log in. When they do, their username and password are automatically transmitted to cybercriminals that own the application. (..) Facebook credentials are used by cybercriminals to compromise accounts in multiple ways, the most common being to commit financial fraud, send phishing links, and spread fake news.


While users submit their credentials, the app redirects them to a command and control server at zutuu[.]info [VirusTotal], which the hackers can then collect, Jamf security expert Michal Rajan mentions.

The malicious Android software will also connect to the www.dozenorms[.]club URL [VirusTotal], which has previously been used to advertise other malicious FaceStealer Android applications.

The apps’ author and distributor seems to have automated the repackaging process and injected a small bit of harmful code inside an otherwise legal software, according to Pradeo’s study.

This allows the apps to bypass the Play Store vetting process without being flagged. The user is provided no genuine functionality as soon as they open it unless they register into their Facebook account.

However, what happens once customers log in, is that the app will only offer limited functionality by uploading a specific image to the online editor http://color.photofuneditor.com/, which will add a graphics filter to the image.

This updated image will then appear in the app, where the user can download it or share it with others.

Because it has become a common practice for many programs to demand users to check in to a server that isn’t always necessary, such as Facebook, users have grown accustomed to these prompts and are more likely to enter their credentials without suspecting anything.

Be Careful When Installing  Cartoonifier Apps

People should be particularly cautious when installing software that asks them to provide sensitive information such as biometric data (images of their faces for instance).

And that’s because these types of programs modify images and apply filters on a distant server rather than locally on the device, putting your information at danger of being stored for an indefinite period of time or even shared with others, resold, and so on.

If users find a certain Android app in the Play Store, they might conclude by default that it is safe and reliable. However, the bad news is that harmful Android apps can sometimes find their way into the Google Play Store and can remain there until they are discovered by security organizations or they come to seem suspicious because of the negative reviews.

How to Spot Such Malicious Apps

In many circumstances, though, checking scammy or harmful app evaluations on Google Play can help you identify it.

First, you should look at the reviews. In this case we’ve been talking about, Craftsart Cartoon Photo Tools has many negative reviews. In addition, several of these reviews state that the app has limited functionality and that you must sign in to Facebook to use it.

Then, as BleepingComputer publication explains, ‘Google Commerce Ltd’ is the name of the developer, pointing out that it was developed by Google. The fact that the listed contact information includes a random person’s Gmail email address makes for a huge red flag. According to the same publication, it found a different email address in the app privacy policy on the developer’s page suggesting thus a mismatch in terms of which email addresses are specified.

The Craftsart Cartoon Photo Tools app has been reported to Google by Pradeo.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Andra Andrioaie

Security Enthusiast

linkedin icon

Hi! My name is Andra and I am a passionate writer interested in a variety of topics. I am curious about the cybersecurity world and what I want to achieve through what I write is to keep you curious too!

Leave a Reply

Your email address will not be published. Required fields are marked *