61°F
weather icon Mostly Clear
Las Vegas, NV
Nation and World

Facebook logins stolen by popular Android game

More than half a million people downloaded an Android game that stole their Facebook usernames and passwords, according to researchers. It was called "Cowboy Adventure," and it just got pulled out of the app store for Android phones, Google Play. But it had already been downloaded anywhere from 500,000 to 1 million times, according to Google statistics.
More Stories
Savannah Guthrie attends the third annual World Mental Health Day Gala, hosted by Project Healt ...
Sheriff says ‘we do in fact have a crime scene’ in search for mom of ‘Today’ host Savannah Guthrie
Groundhog Club handler A.J. Dereume holds Punxsutawney Phil, the weather prognosticating ground ...
Punxsutawney Phil makes 2026 winter forecast prediction
President Donald Trump arrives on Air Force One, Sunday, Feb. 1, 2026, at Joint Base Andrews, M ...
Trump: Kennedy Center to close for 2 years for renovations in July
In this photo released by U.S. Rep. Joaquin Castro, D-TX, Adrian Conejo Arias and his son, five ...
5-year-old Liam Conejo Ramos and father return to Minnesota from Texas detention facility
By JOSE PAGLIERY CNN
July 9, 2015 - 9:50 pm
 

More than half a million people downloaded an Android game that stole their Facebook usernames and passwords, according to researchers.

It was called “Cowboy Adventure,” and it just got pulled out of the app store for Android phones, Google Play. But it had already been downloaded anywhere from 500,000 to 1 million times, according to Google statistics.

And it wasn’t the only one. Jump Chess did the same thing, and it had already been downloaded by up to 5,000 devices. It also disappeared from the app store on July 2.

Both games were made by the same software developer, Tinker Studio. CNNMoney has tried to communicate with the firm, but it hasn’t yet responded.

Anyone who has downloaded these games should change their Facebook password immediately.

On Google Play — which is supposed to be a safe zone — this could be the largest spread of this type of malware yet.

Google did not reply to CNNMoney questions about why Google didn’t catch this sooner — and whether Tinker Studio will be banned from Google Play.

On Thursday, computer researchers with the Slovakian antivirus company ESET explained how they spotted this.

ESET routinely scans popular apps and reverse engineers them to check their computer code for malicious features.

Lukáš Štefanko, a computer researcher there, pulled apart Cowboy Adventure and found it behaving strangely.

Nowadays, lots of apps ask for your Facebook name and password to login. Respectable apps transmit that information securely to Facebook using a respected standard called OAuth.

But not Cowboy Adventures. It grabbed that data and sent it to a computer server located in Panama, according to researchers.

ESET checked the other game developed by Tinker Studio and found it behaving the same way. ESET explored the code and found it contained Vietnamese text, but it’s hard to tell exactly where these developers were based — or what they were doing with the massive collection of Facebook logins.

There’s a possibility these aren’t hackers, just game developers carelessly transmitting usernames and passwords to Facebook. But ESET senior security researcher Robert Lipovsky is convinced they’re criminals.

“It’s very unlikely that they were just dumb,” Lipovsky said.

If anyone tries to download either game now, Google warns: “It is designed to trick you into entering personal data.”

The lesson here? Be more careful when downloading an app. Read user reviews. In this case, some people complained that the game locked them out of their Facebook accounts.

And it’s worth having some kind of malware-scanning service on your smartphone. (Avast, AVG, Bitdefender, ESET, Kaspersky and others make them.)

MOST READ
Don't miss the big stories. Like us on Facebook.
THE LATEST
Groundhog Club handler A.J. Dereume holds Punxsutawney Phil, the weather prognosticating ground ...
Punxsutawney Phil makes 2026 winter forecast prediction
by Mark Scolforo, Tassanee Vejpongsa and Kathy McMormack Associated Press

Punxsutawney Phil predicted six more weeks of wintry weather Monday, a forecast sure to disappoint many after what’s already been a long, cold season across large parts of the United States.

President Donald Trump arrives on Air Force One, Sunday, Feb. 1, 2026, at Joint Base Andrews, M ...
Trump: Kennedy Center to close for 2 years for renovations in July
By Michelle L. Price and Lisa Mascaro Associated Press

President Donald Trump said Sunday he will move to close Washington’s Kennedy Center for the Performing Arts for two years starting in July for construction.

An order to release 5-year-old Liam Conejo Ramos and his father from detention, which included ...
Judge orders ICE to release 5-year-old Liam Conejo Ramos, his dad
By Geoff Mulvihill Associated Press

A 5-year-old boy and his father must be released by Tuesday from the Texas center where they’ve been held after being detained by immigration officers in Minnesota, a federal judge ordered Saturday.

MORE STORIES