Discovered by security researchers at Dr. Web, these stealer trojans were found using a special mechanism to trick users into disclosing their Facebook login details by offering them photo editing and app lock features as well as disable in-app advertisements. The nine Android malicious apps were Processing Photo, App Lock Keep, Rubbish Cleaner, Horoscope Daily, Horoscope Pi, App Lock Manager, Lockit Master, Inwell Fitness, and PIP Photo, which approximately had 5.9 million combined downloads. According to Dr. Web’s report, all the above apps were fully functional, which was supposed to weaken the vigilance of potential victims. Besides this, to access all of the apps’ functions and, allegedly, to disable in-app ads, users were prompted to log into their Facebook accounts. The advertisements inside some of the apps were indeed present, and this maneuver was intended to further encourage Android device owners to perform the required actions. If users agreed and clicked the login button, they saw a standard social network login form. However, in reality, it showed a fake login page to steal the Facebook user IDs and passwords. “After receiving the necessary settings from one of the C&C servers upon launch, they loaded the legitimate Facebook web page https://www.facebook.com/login.php into WebView. Next, they loaded JavaScript received from the C&C server into the same WebView. This script was directly used to highjack the entered login credentials,” the security researchers wrote in the report. “After that, this JavaScript, using the methods provided through the JavascriptInterface annotation, passed stolen login and password to the trojan applications, which then transferred the data to the attackers’ C&C server. After the victim logged into their account, the trojans also stole cookies from the current authorization session. Those cookies were also sent to cybercriminals. Analysis of the malicious programs showed that they all received settings for stealing logins and passwords of Facebook accounts. However, the attackers could have easily changed the trojans’ settings and commanded them to load the web page of another legitimate service. They could have even used a completely fake login form located on a phishing site. Thus, the trojans could have been used to steal logins and passwords from any service. After Dr. Web’s report went live, Google removed all the nine malicious apps from the Play Store. In addition, it has also banned developers of these apps from submitting any new apps, according to ArsTechnica. Doctor Web recommends Android device owners to install apps only from known and trusted developers, as well as to pay attention to other user reviews. It also recommends users pay attention to when and which apps ask them to login into their account. It also added that if users are not sure that what they are doing is safe, it would be better to not proceed any further and uninstall the suspicious program. In the event, if you have downloaded any of the above-mentioned malicious apps using your Facebook login option, it is recommended to uninstall them immediately and change your password as well as enable 2-factor authentication.