The Google Play Store is generally the safest place to obtain apps for your Android smartphone, but every once in a while, some bad actors find their way in. Recently, Google removed a handful of Android apps from the Play Store that tried to steal Facebook passwords.

Dr. Web recently highlighted a “trojan” that was embedded within some Android apps that had the ability to trick users into giving up their Facebook password. Ten apps were observed using the software, most of which were actually available in the Google Play Store and had racked up a considerable number of downloads. The nine apps combined were downloaded over 6 million times.

The software worked by faking the Facebook login screen, making users think that the otherwise harmless app they were using required a Facebook account to function. After entering their password on the screen, the data was then stolen and gave the bad actor access to the unwitting user’s account.

With that, the displayed form was genuine. These trojans used a special mechanism to trick their victims. After receiving the necessary settings from one of the C&C servers upon launch, they loaded the legitimate Facebook web page into WebView. Next, they loaded JavaScript received from the C&C server into the same WebView. This script was directly used to hijack the entered login credentials. After that, this JavaScript, using the methods provided through the JavascriptInterface annotation, passed stolen login and password to the trojan applications, which then transferred the data to the attackers’ C&C server. After the victim logged into their account, the trojans also stole cookies from the current authorization session. Those cookies were also sent to cybercriminals.

The apps in question included photo editing apps, “App Lock,” a fitness app, and horoscope applications. Some of the apps apparently used Google’s Flutter language. “PIP Photo” was the app that managed the most success, pulling 5.8 million downloads. The rest of the apps were marked as “more than 100,000” or less.

ArsTechnica found that all nine apps have been removed from the Play Store, with a Google spokesperson confirming that the bad actor’s developer accounts have also been banned. Google has also been taking steps to further secure the Play Store recently by adding security requirements for Google Play developers.

More on Android:

FTC: We use income earning auto affiliate links. More.

Check out 9to5Google on YouTube for more news:

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Schoon

Ben is a writer and video producer for 9to5Google.

Find him on Twitter @NexusBen. Send tips to or encrypted to