Google has removed this month 25 Android applications from the Google Play Store that were caught stealing Facebook credentials.
Before being taken down, the 25 apps were collectively downloaded more than 2.34 million times.
The malicious apps were developed by the same threat group and despite offering different features, under the hood, all the apps worked the same.
According to a report from French cyber-security firm Evina shared with ZDNet today, the apps posed as step counters, image editors, video editors, wallpaper apps, flashlight applications, file managers, and mobile games.
The apps offered a legitimate functionality, but they also contained malicious code. Evina researchers say the apps contained code that detected what app a user recently opened and had in the phone's foreground.
If the app was Facebook, the malicious app would overlay a web browser window on top of the official Facebook app and load a fake Facebook login page (see image below: blue bar = actual Facebook app, black bar = phishing page).
If users entered credentials on this phishing page, the malicious app would log the data and send it to a remote server located at (the now-defunct) airshop.pw domain.
Evina said it found the malicious code that stole Facebook credentials in 25 apps they reported to Google at the end of May. Google removed the apps earlier this month, after verifying the French security firm's findings. Some of the apps had been available on the Play Store for more than a year before they were removed.
The full list of 25 apps, their names, and package ID, are listed below. When Google removes malicious apps from the Google Store, the company also disables the apps on a user's devices and notifies users via the Play Protect service included with the official Play Store app.