Security researchers warn that a malicious Android game, which steals Facebook credentials and propagates through friends lists, has been downloaded over a million times.
Researchers at ESET have discovered that the Cowboy Adventure title, which until recently was up on the Google Play store, was stealing Facebook credentials and used them to spread itself to other users. The app did this by popping up a fake Facebook login screen in the middle of the game. If users were fooled, their credentials were sent via an HTTPS connection to a remote server.
Another title, Jump Chess, was similarly infected by malicious code and used to gather social media credential from unsuspecting users. Interestingly enough, the malicious agents behind the code used geolocation and didn’t display the fake login screen for users in Canada and the US.
Both titles have been removed from the Play Store though you may want to change your Facebook credentials if you’ve ever downloadeded these games.