Google has removed at least nine apps from the Google Play store after security researchers revealed they’d been secretly harvesting users’ Facebook login details.
Research from Dr. Web say ten ‘trojan’ apps, nine of which were available on Google Play, have been stealing innocent users’ Facebook usernames and passports.
The apps in question have been downloaded 5,856,010 times, the researchers say, alarmingly. The apps masquerading as innocent smartphone aids include Processing Photo, App Lock Keep, Rubbish Cleaner, Horoscope Daily, Horoscope Pi, App Lock Manager, Lockit Master, Inwell Fitness, and PIP Photo.
These apps were not obscure by any means. Processing Photo, for instance, was downloaded more than half a million times by unsuspecting Android users. All have now been removed from the Play Store, while the developers have also been banned from the platform.
The harvested user names and passwords, as well as all cookies from the authorisation session were passed onto cybercriminals, the report says. The researchers say one of the apps, EditorPhotoPip, had already been deleted by Google Play, but was still available via aggregator websites.
The site says this emphasises the need to only download apps from official sources, rather than side-loading onto an Android device.