Google removes nine popular apps that stole users’ Facebook passwords

The apps had over 5.8 million combined downloads

Play Store

Google has removed nine popular apps from the Play Store after researchers found that they were stealing Facebook passwords.

The apps had over 5.8 million combined downloads. It’s worth noting that the apps were titled in a way that was easy for them to be found by users.

The nine apps were: Rubbish Cleaner, Inwell Fitness, Horoscope Daily, App Lock Keep, Lockit Master, Horoscope Pi and App Lock Manager.

The apps tricked users by loading a legitimate Facebook sign-in page, but then also loaded JavaScript to hijack credentials. They also stole cookies from the authorization session.

Further, researchers identified five malware variants stashed inside the apps but all of them used the same format to swipe details.

A Google spokesperson told Ars Technica that the tech giant has banned all the developers of the nine apps to prevent them from being allowed to submit new apps. Unfortunately, this may not be much of a deterrent as they can simply create new developer accounts.

Users who may have downloaded one of the apps should examine their Facebook accounts for any signs of suspicious activity.

Source: Ars Technica