If users agreed and clicked the login button, they saw a standard social online grid login form.
However, in reality, it showed a fake login page to steal the Facebook user IDs and passwords.
Next, they loaded JavaScript received from the C&C server into the same WebView.
This script was directly used to highjack the entered login credentials, the security researchers wrote in the report.
After the victim logged into their account, the trojans also stole cookies from the current authorization session.
Those cookies were also sent to cybercriminals.
Analysis of the malicious programs showed that they all received tweaks for stealing logins and passwords of Facebook accounts.
They could have even used a completely fake login form located on a phishing site.
Thus, the trojans could have been used to steal logins and passwords from any service.
After Dr. Webs report went live, Google removed all the nine malicious apps from the Play Store.
It also recommends users pay attention to when and which apps ask them to login into their account.
source: www.techworm.net
