Facestealer spyware detected across over 200 Google Play apps: what you need to know
Over 200 apps on the Google Play store have been found to harbor the spyware known as Facestealer. What is Facestealer? How can you make sure you don’t accidentally download it?

Facestealer spyware
Facestealer spyware shares many similarities with another piece of malware currently still notorious in cybersecurity circles — Joker malware. Facestealer and Joker have constantly changing coding, making it difficult for antivirus software to detect them immediately. However, where Joker malware focused on signing a victim up to several bogus subscription services and siphoning the money away, Facestealer has a more insidious approach.
The purpose of Facestealer spyware is to steal important user credentials. To get a foothold on a user’s device, it has to masquerade as a completely different app. This form of trickery is a classic example of hackers using social engineering to entice people into downloading something harmful.
So far, Facestealer spyware has been found hiding over 200 fake apps. Over 40 of the apps are advertised as VPN services, with the second and third place taken by photography and photo editing apps.
How quickly do harmful apps get removed from Google Play?
According to a study by Trend Micro, a cyber security firm, as soon as Google was made aware of the Facestealer fake apps, they were removed immediately. However, Trend Micro’s research went on to reveal more troubling statistics.
Potentially harmful apps, or PHAs, remain on Google Play for 77 days, on average. PHAs also tend to move between devices. When a user switches devices and automatically transfers the data, the harmful apps are part of that automatic backup. Up to 14,000 PHAs were transferred over to 35,500 Samsung devices, all through the Samsung Smart Switch app.
Want to read more like this?
Get the latest news and tips from NordVPN.
How to recognize Facestealer apps
Depending on the amount of effort a malicious actor wants to put into their ruse, recognizing a Facestealer app can be difficult. Remember, the cybercriminal wants you to download their app, so they will try every trick in their arsenal. A good telltale sign is if the app is free. After all, what’s more enticing than a “free VPN service”? If it sounds too good to be true, it usually is.
The best ways to figure out the legitimacy of an app? Check the reviews, and do your research. Swipe over to the review section of the app and see if any victims of Facestealer have left a warning. How about the rating? Is it way below the average? That’s a good indication the app isn’t to be trusted. Even if an app has a 5-star rating, check the reviews again. Sometimes a flood of 5-star reviews without any comments can also be suspicious. Have a look at the usernames leaving the ratings: do they seem like actual names or just a garbled string of letters and numbers?
If you’re still unsure of the app after seeing the reviews, head to several internet forums. If the app in question is phony, there will be plenty of people online willing to share the shady practices they fell victim to.
By being aware of the Facestealer spyware, you’re already one step ahead of the hackers trying to infect your device. Think twice before downloading a free app — it could save you a lot of hassle and time.