Author's Note: We at Malwarebytes continue to do our part in educating our product users and constant blog readers about day-to-day online threats and how they can avoid falling prey to them. "PUP Friday", our latest attempt at getting users acquainted with files they may need to watch out for in the Wild Web, offers an in-depth look at some interesting and quite notable potentially unwanted programs (PUPs). Expect to see this type of content pushed out twice a month at the end of a work week.
What you're about to read below is our first PUP Friday post.
UPDATE: Here at Malwarebytes, we do our best at pointing out the facts and true dangers behind all online threats. Though we are only human and very rarely we can be overzealous in our attempts to inform our users of online threats. Unfriend Alert reached out to us after this blog post to let us know what our analysis was incorrect and upon further inspection, it turns out that our initial belief that Unfriend Alert was possibly stealing Facebook credentials was incorrect.
The above shows a traffic capture while installing and using Unfriend Alert to sign into a Facebook account. The yellow area shows Unfriend Alert reaching out to it's own domain "yougotunfriended.com" in order to show a "thank you for installing" webpage. The green shows a secure SSL tunnel being created between the system and Facebook servers. The connection is where Facebook interacts with the user in order to log them in.
After login, the Facebook side of this app will show information about the profile, most users don't see this because of Unfriend Alerts user interface.
If we take a deeper look, analyzing the Wireshark traffic from the same communication, we will see the application beacon out once again to it's domain, sending a "GET" request which was originally mistaken as a means for the application to send stolen Facebook credentials. In reality, the application is simply downloading the script required to parse through the friend list and log that information into a sqlite database file, located only on the user's system. This file is then used by the application to compare between parses and provide the user with information as to who unfriended them.
Anyone familiar enough with malware analysis knows that GET requests can be used to not only retrieve information but also send it, in the form of custom designed requests that actually include dynamic data, which is later stored by the remote command and control servers and used to steal personal information from the user. A lot of botnet malware utilizes this trick. With that being said, we were too quick to jump to conclusions concerning whether or not Unfriend Alert was stealing passwords.
While Unfriend Alert does not do anything inherently malicious to the system, its practices may still hold a threat to users who are not careful. Unfriend Alert makes mention that they use advertisers in order to pay for the costs associated with keeping the application running may not be so safe.
Finally, we wanted to point out that while Unfriend Alert is a safe application to use and that your Facebook credentials are safe if you've already used it, it's still a great idea to change your passwords periodically & realize that most applications which claim to do things like Unfriend Alert does may (and in all likelihood probably do) cause harm to your system or use your personal information for nefarious purposes.
If you find that you don't want to use Unfriend Alert anymore, we have confirmed that their uninstall program cleans up nearly every change it makes to the system, anything left behind is not malicious or damaging to the system.
Changing your Facebook password is easy! You can do this under “Settings”
Under “Password” use the “Edit” link
Then select the option to log out of other devices just in case the account is open somewhere else.
Use the option you will be offered to “Secure your account” and review the changes that were made. Check that you were the one that made those changes.
In general it is a bad idea to give your Facebook credentials away, especially to a third-party app. Always make sure that if you do insert your credentials into something that isn't the secured and encrypted webpage for the service you are using, make sure that it's not being sent somewhere else.
Save yourself the hassle and get protected.