Nine disreputable android apps were found to be attempting to steal users' Facebook passwords

The nine Facebook phishing trojanized apps have been removed from the Google Play Store, but presumably not from users' devices One of them, called PIP Photo, was downloaded more than 5 million times The other apps did not come close to that number, but together they were downloaded about 800,000 times

If you have downloaded or installed any of these nine Android apps, you need to remove them Go to Settings > Apps & Notifications > View All Apps (your phone may be a little different) and click on the list of each suspicious app to uninstall

You should also assume that your Facebook account has been compromised; change your Facebook password, log out of Facebook on all devices and clear session cookies Then you can log in again

If you are using the same email address and password for other accounts, you need to assume that they have also been compromised Change your password each time using a unique password (You never want to repeat passwords for important accounts) Then log out of those accounts on all devices and log back in on any device

Additionally, a 10th app that steals Facebook passwords was previously removed from Google Play and was found to still be available on the "offload" app market:

Many Android apps have the same name, so we removed the correct one We want to make sure we are removing the correct one From the Apps page under Settings, click Details > App Details Clicking on "App Details" will take you to the Google Play apps page, where you will see the developer name (above) or a list of those that have been removed

If you see the deleted list, you know that Google has removed the app from Google Play Go back to the list of apps in the settings and uninstall it If the developer name matches the one shown in the list above, uninstall the app in this case as well

These password-stealing apps were discovered by Russian antivirus company Dr Web, and Dr Web posted a report on these apps last week; Dr Web stated that all of these apps were "fully functional" and that users were willing running the apps, indicating that they probably were unaware that anything fishy was going on behind the scenes

What these apps had in common was that they all displayed a large number of ads Many apps allow users to log in via Facebook or Google to avoid having to create a new account each time, a process that should be secure

In these cases, it was not Even though the apps were displaying the real Facebook third-party login page, they were injecting code behind the scenes that logged Facebook credentials as the user entered them

This code also stole Facebook session tokens that kept people logged into Facebook for an extended period of time There is no end to how stolen Facebook accounts can be misused

This is already pretty bad, but Dr Web reports that it could have been worse, and indeed it might be

"Attackers could easily change the Trojan's settings and command it to load a web page from another legitimate service They could even use a completely fake login form from a phishing site Thus, the Trojan could be used to steal login names and passwords from any service

All of these apps have disappeared from Google Play, but are still available in third-party app stores In general, avoid downloading apps from the "offload" marketplace; Google Play is not perfect - one reason why you should run one of the best Android antivirus apps - but unregulated app stores are much safer than the Wild West