Google has removed nine apps from the Play Store after it was found these apps stole user’s Facebook login credentials. All apps offered legitimate services and were downloaded more than 5 million times.

As uncovered by security researchers at Dr. Web (via ArsTechnica), these malicious apps used a special mechanism to trick users into handing over their Facebook credentials. The apps lured users into disabling in-app advertisements by linking their Facebook profiles. When the user went to link their profile, they saw a genuine form asking them to enter their Facebook username and password. The Facebook page loaded into Android WebView itself was legitimate. However, the researchers discovered that hijackers also loaded malicious JavaScript into the same WebView to steal user data.

As researchers at Dr. Web describe:

This script was directly used to highjack the entered login credentials. After that, this JavaScript, using the methods provided through the JavascriptInterface annotation, passed stolen login and password to the trojan applications, which then transferred the data to the attackers’ C&C server. After the victim logged into their account, the trojans also stole cookies from the current authorization session. Those cookies were also sent to cybercriminals.

These are the nine apps caught stealing users’ Facebook logins and passwords:

  1. PIP Photo (5,000,000+ downloads)
  2. Processing Photo (500,000+ downloads)
  3. Rubbish Cleaner (100,000+ downloads)
  4. Inwell Fitness (100,000+ downloads)
  5. Horoscope Daily (100,000+ downloads)
  6. App Lock Keep (50,000+ downloads)
  7. Lockit Master (5,000+ downloads)
  8. Horoscope Pi (1,000 downloads)
  9. App Lock manager (10 downloads)

And these are the five malware variants that Dr. Web identified inside the apps.

Google has since removed these apps from the Play Store and has also banned the publishers of all nine apps from the platform, so they can’t publish any new apps. If you have installed any of the above-listed apps on your Android device, uninstall them immediately. Also, make sure to reset your Facebook password and enable 2-factor authentication just to be on the safer side.