Facebook login details to access all of the apps’ functions and, allegedly, to disable in-app ads.

The stolen information was exfiltrated to the server by the trojanised applications.

9 apps with 6M installs stole Facebook logins of Android users

9 apps with 6M installs stole Facebook logins of Android users

The list of apps and the numbers of times they have been installed are as follows:

  1. App Lock Manager – 10 installs
  2. Horoscope Pi – 1,000 installs
  3. Lockit Master – 5,000 installs
  4. App Lock Keep – 50,000 installs
  5. Inwell Fitness – 100,000 installs
  6. Horoscope Daily – 100,000 installs
  7. Rubbish Cleaner – 100,000 installs
  8. Processing Photo – 500,000 installs
  9. PIP Photo – 5,000,000 installs

“The advertisements inside some of the apps were indeed present, and this maneuver was intended to further encourage Android device owners to perform the required actions,” the researchers from Dr. Web stated in their blog post.

Watch out for malware on the Play Store

Although Google Play Store is home to millions of apps, it is also a breeding ground for malicious apps. In fact, nasty malware like Joker, AlienBot Banker, and TeaBot, etc. have already infected millions of unsuspecting Android users worldwide.

9 apps with 6M installs stole Facebook logins of Android users

Apps asking for Facebook login credentials (Image: Dr. Web)

Avoid downloading unnecessary apps

This discovery only shows how many scams and fraudulent apps exist on Google Play Store and it is really easy to fall into the trap of scammers which is why people are better off only downloading apps that are from known and trusted developers.

Moreover, you should properly consider what kind of permissions you grant to the apps that you use and carefully go through the user reviews of apps before installing them. 

Google removes malicious apps

Google has taken note of this issue and subsequently, they announced new measures for the Play Store which ensure that if any developer wants to publish their app, they first need to turn on 2-Step Verification (2SV) for their accounts, provide an address, and verify their contact details. 

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Posted by Charlie