Researchers found a number of fully authorised apps in the Google Play Store were found to be stealing user credentials for Facebook in otherwise fully functional apps for tasks like photo editing, fitness, horoscopes and even the classic vector for dodgy things – pretending to help you clean up other dodgy things off your phone.
After researchers from security firm Dr. Web alerted Google to the problem apps, they were all removed. But they were vetted as clean apps by Google the first time around… so there’s that…
The nine apps were:
- Processing Photo
- App Lock Keep
- Rubbish Cleaner
- Horoscope Daily
- Horoscope Pi
- App Lock Manager
- Lockit Master
- Inwell Fitness
- PIP Photo
That last, PIP Photo, was the most downloaded with 5.8M, while the others ranged from 10 to 100,000 downloads.
The apps were largely appearing to be advertising supported, with an offer to remove the ads by asking you to login to Facebook. But the Facebook login was hijacking the user credentials during this authorisation process.
As ever, stay careful out there, and don’t trust reviews or download numbers alone. These apps really worked and did what they said they did, so don’t think you’ll see flashing lights saying ‘SCAM’ to warn you something is up.