detection icon

Short bio

Android/Trojan.Spy.Facestealer is Malwarebytes’ detection name for a family of Android Trojans that use social engineering to compromise Facebook accounts.


Android/Trojan.Spy.Facestealer shows the use of an affected system screens that ask for the user’s input and finally the user is shown the Facebook login page and asks to log in. At which point injected malicious javascript steals the login credentials and sends them to a Command & Control server. The C& C server makes use of login credentials to authorize access to the harvested data.

Type and source of infection

Android/Trojan.Spy.Facestealer was distributed in the Google Play  Store and on third-party application stores. Once Android/Trojan.Spy.Facestealer is running on an infected Android system it tries to steal information from the user’s Facebook account, including the email-address and the IP address.


When your login credentials for a social media account have been stolen this can have serious consequences. It gives threat actors a base from which to gather more information.


Malwarebytes for Android protects against Android/Trojan.Spy.Facestealer.


These apps can be uninstalled using the mobile devices uninstall functionality, but these apps will be made available under different names. That is where Malwarebytes for Android can help you, by identifying these apps and removing them.