A couple of days ago HackRead exclusively reported on a Fidget spinner app that has been sending other apps data to a server in China. Now, IT security researchers at Kaspersky Lab identified around 85 apps in Google Play during October and November 2017 that were stealing credentials for VK.com, a Russia-based social networking platform.

A majority of these apps were listed in the Play Store in October while some were uploaded in July. One of them had over a million downloads whereas some apps had around a thousand installations. Many apps were quite popular among users since 7 apps had approx. 10,000 and 100,000 downloads and 9 of them were installed between 1,000 and 10,000 times.

The apps that were most popular were gaming apps submitted to Google Play during April 2017. These apps were although uploaded without any malicious code after an October 2017 update, these were equipped with credential stealing capabilities. Over a million downloads were gathered by one of the gaming apps in just 7 months.

“These apps were not only masquerading as Telegram apps, they were actually built using an open source Telegram SDK and work almost like every other such app,” researchers wrote in a blog post.

Conversely, the majority of offending apps were created to appear as apps for VK.com, which allows users to listen to music or track user page visits. This type of apps usually requires users to log in to their account prior to using the service and this is why it was never suspected of foul play.

The apps checks for the language of the devices first and asks for credentials only if the user has enabled Russian, Kazakh, Ukrainian, Belarusian, Romanian, Armenian, Azerbaijani, Uzbek, Kyrgyz or Tajik as the device’s language. It is worth noting that this particular campaign is targeted at VK.com users only since this site has quite a huge following in CIS countries.

Kaspersky Lab researchers identified that the attackers behind this campaign have been publishing their malicious apps in Google Play since two years and have over the years modified the malicious code to evade detection. The infected apps used an official SDK for the Russian website VK.com so that the user is tricked into entering his or her login credentials. The information received is then encrypted and uploaded to a remote server. This server is controlled by the attacker. Though most of these malicious applications contain described functionality some of them are a bit different as these not only extract credentials but also upload them too.

According to researchers, the attackers use credentials for the promotion of groups in the website VK.com and silently keep adding users for increasing the popularity of these groups. Google has removed all the credential stealing applications that were identified as Trojan-PSW.AndroidOS.MyVk.o and Telegram clients not-a-virus:HEUR:RiskTool.AndroidOS.Hcatam.a.

In case the apps have been installed, it is possible to remove them by enabling Google Play Protect, the newly launched security feature that removes malicious apps from Android smartphones through machine learning and apps usage analysis.