A series of Android apps that were used to steal Facebook credentials had been downloaded a total of nearly six million times before Google removed them from the Play Store.
Security firm Dr Web discovered 10 Android apps – nine of which were on the Play Store – which the developers had snuck code to harvest usernames and passwords of unsuspecting Facebook users.
Among the dodgy apps were photo-editing software PIP Photo and Processing Software (which were downloaded five million and 500,000 times respectively), while device performance monitor Rubbish Cleaner, astrology app Horoscope Daily, and fitness app Inwell Fitness were each downloaded 100,000 times.
The apps actually worked, providing some if not all the functionality they claimed.
Dr Web suggested this helped “weaken the vigilance of potential victims”.
“To access all of the apps’ functions and, allegedly, to disable in-app ads, users were prompted to log into their Facebook accounts,” the company said in a blog post.
That script scraped the login credentials and sent them back to the developers along with an authorisation cookie given to the user’s device upon successful login.
“Analysis of the malicious programs showed that they all received settings for stealing logins and passwords of Facebook accounts,” Dr Web said.
“However, the attackers could have easily changed the trojans’ settings and commanded them to load the web page of another legitimate service.
“They could have even used a completely fake login form located on a phishing site. Thus, the trojans could have been used to steal logins and passwords from any service.”
Google has removed the apps from its Play Store and told Ars Technica it also banned the app’s developers.
Play Store apps are a common vector for malicious activity with Avast warning Android users last month of a recent spike in malicious apps, especially adware.
Dr Web says it is good practice to only install apps from well-known, trusted developers and to keep an eye on other user reviews for clues to their trustworthiness.
“The reviews cannot provide an absolute guarantee that the apps are harmless but can still alarm you about potential threats,” it said.
“You should also pay attention to when and which apps ask you to login into your account. If you are not sure that what you are doing is safe, it would be better for you not to proceed any further and uninstall the suspicious program.”