The apps allegedly used a fake Facebook sign in page using JavaScript from a command and control server to “hijack” the log in details, also stealing cookies from the authorization session.
Facebook was the target in each case, but the creators could just have easily steered users toward other internet services.
Of the five variations of malware, all of them used the same JavaScript code to steal the credentials from users.
As the developers used a phising tool to load the fake Facebook JavaScript page after loading the real site, it is likely they would also be able to use the malware to gain login information from users for a number of other webisites tool.
Google also told Ars Technica that it banned all the app developers from the store.
