Google has removed nine Android apps that were downloaded more than 5.8 million times from its Play marketplace after security researchers revealed they had been stealing users' Facebook passwords.
Analysts for Doctor Web, a Russian anti-malware company, found the apps contained different variations of the Android.PWS.Facebook trojan.
All of the apps functioned as expected with the view to lowering the vigilance of potential victims, Doctor Web said.
Once in the app, users were offered the opportunity to unlock full functionality and disable in-app adverts by logging in with their Facebook accounts.
If they chose to do so, then they were presented with a genuine Facebook login form which also loaded JavaScript received from the malware's command and control (C&C) server.
"After that, this JavaScript... passed stolen login and password to the trojan applications, which then transferred the data to the attackers' C&C server," Doctor Web wrote.
"After the victim logged into their account, the trojans also stole cookies from the current authorisation session. Those cookies were also sent to cybercriminals."
All of the programmes were set up to steal Facebook account credentials, but the trojan settings were easy to update to load the web page of any other site.
"They could have even used a completely fake login form located on a phishing site. Thus, the trojans could have been used to steal logins and passwords from any service."
The most popular app, PIP Photo, had been downloaded over 5 million times before it was removed, with Processing Photo next with more than half a million downloads.
The apps were:
- PIP Photo
- Processing Photo
- App Lock Keep
- Rubbish Cleaner
- Horoscope Daily
- Horoscope Pi
- App Lock Manager
- Lockit Master
- Inwell Fitness
A Google spokesperson told Ars Technica the company had also banned the developers of the apps, meaning they won't be allowed to submit new apps to the Play store.