Popular Android games stole Facebook logins

Posted at 12:38 PM, Jul 09, 2015
and last updated 2015-07-09 12:38:24-04

NEW YORK (CNNMoney) — More than half a million people downloaded an Android game that stole their Facebook usernames and passwords, according to researchers.

It was called “Cowboy Adventure,” and it just got pulled out of the app store for Android phones, Google Play. But it had already been downloaded anywhere from 500,000 to 1 million times, according to Google statistics.

And it wasn’t the only one. Jump Chess did the same thing, and it had already been downloaded by up to 5,000 devices. It also disappeared from the app store on July 2.

Cowboy Adventure screenshot

Both games were made by the same software developer, Tinker Studio. CNNMoney has tried to communicate with the firm, but it hasn’t yet responded.

Anyone who has downloaded these games should change their Facebook password immediately.

On Google Play — which is supposed to be a safe zone — this could be the largest spread of this type of malware yet.

Google did not reply to CNNMoney questions about why Google didn’t catch this sooner — and whether Tinker Studio will be banned from Google Play.

On Thursday, computer researchers with the Slovakian antivirus company ESET explained how they spotted this.

Jump Chess screenshot

ESET routinely scans popular apps and reverse engineers them to check their computer code for malicious features.

Lukáš Štefanko, a computer researcher there, pulled apart Cowboy Adventure and found it behaving strangely.

Nowadays, lots of apps ask for your Facebook name and password to login. Respectable apps transmit that information securely to Facebook using a respected standard called OAuth.

But not Cowboy Adventures. It grabbed that data and sent it to a computer server located in Panama, according to researchers.

ESET checked the other game developed by Tinker Studio and found it behaving the same way. ESET explored the code and found it contained Vietnamese text, but it’s hard to tell exactly where these developers were based — or what they were doing with the massive collection of Facebook logins.

There’s a possibility these aren’t hackers, just game developers carelessly transmitting usernames and passwords to Facebook. But ESET senior security researcher Robert Lipovsky is convinced they’re criminals.

“It’s very unlikely that they were just dumb,” Lipovsky said.

If anyone tries to download either game now, Google warns: “It is designed to trick you into entering personal data.”

The lesson here? Be more careful when downloading an app. Read user reviews. In this case, some people complained that the game locked them out of their Facebook accounts.

And it’s worth having some kind of malware-scanning service on your smartphone. (Avast, AVG, Bitdefender, ESET, Kaspersky and others make them.)