Threat researchers from security firm ESET have discovered a malicious Facebook-Credentials-Stealing Trojan masquerading as an Android game that has been downloaded by more than a Million Android users.
Malicious Android Apps downloaded 50,000-1,000,000 times
The Android game, dubbed "Cowboy Adventure," and another malicious game, dubbed "Jump Chess" – downloaded up to 50,000 times, have since been removed from Google Play Store.
However, before taking them off from the app store, the creepy game apps may have compromised an unknown number of victims' Facebook credentials.
Both the games were created by the same software developer, Tinker Studio and both were used to gather social media credentials from unsuspecting users.
How Cowboy Adventure victimizes Android users?
Once installed, Cowboy Adventure produced a fake Facebook login window that prompted users to enter their Facebook usernames along with their passwords. A practice known as OAuth in which a 3rd party asks your Facebook login.
However, if users provide their credentials to Cowboy Adventure app, the malicious code within the game app allegedly sent their credentials to the attacker's server.
Therefore, If you have downloaded Cowboy Adventure or Jump Chess, you should immediately change not alone your Facebook password, but any service that uses the same combination of username and password as your Facebook account.
ESET senior security researcher Robert Lipovsky believes that the app malicious behavior is not just a careless mistake of the game developer, but the developer is actually a criminal minded.
A few basic tips that you should always keep in your mind are:
- Always download apps from official sources, such as Google Play Store or Apple's App Store.
- Read reviews from other users before downloading an app (Many users complained about "Cowboy Adventure" that the game locked them out of Facebook accounts).
- Always use two-factor authentication on services that makes it harder for hackers to access your accounts with just your password.
- Always keep a malware scanning software from trusted vendors like Avast, AVG, ESET, Kaspersky and Bitdefender, on your smartphone.