111°F
weather icon Clear

Facebook logins stolen by popular Android game

More than half a million people downloaded an Android game that stole their Facebook usernames and passwords, according to researchers.

It was called “Cowboy Adventure,” and it just got pulled out of the app store for Android phones, Google Play. But it had already been downloaded anywhere from 500,000 to 1 million times, according to Google statistics.

And it wasn’t the only one. Jump Chess did the same thing, and it had already been downloaded by up to 5,000 devices. It also disappeared from the app store on July 2.

Both games were made by the same software developer, Tinker Studio. CNNMoney has tried to communicate with the firm, but it hasn’t yet responded.

Anyone who has downloaded these games should change their Facebook password immediately.

On Google Play — which is supposed to be a safe zone — this could be the largest spread of this type of malware yet.

Google did not reply to CNNMoney questions about why Google didn’t catch this sooner — and whether Tinker Studio will be banned from Google Play.

On Thursday, computer researchers with the Slovakian antivirus company ESET explained how they spotted this.

ESET routinely scans popular apps and reverse engineers them to check their computer code for malicious features.

Lukáš Štefanko, a computer researcher there, pulled apart Cowboy Adventure and found it behaving strangely.

Nowadays, lots of apps ask for your Facebook name and password to login. Respectable apps transmit that information securely to Facebook using a respected standard called OAuth.

But not Cowboy Adventures. It grabbed that data and sent it to a computer server located in Panama, according to researchers.

ESET checked the other game developed by Tinker Studio and found it behaving the same way. ESET explored the code and found it contained Vietnamese text, but it’s hard to tell exactly where these developers were based — or what they were doing with the massive collection of Facebook logins.

There’s a possibility these aren’t hackers, just game developers carelessly transmitting usernames and passwords to Facebook. But ESET senior security researcher Robert Lipovsky is convinced they’re criminals.

“It’s very unlikely that they were just dumb,” Lipovsky said.

If anyone tries to download either game now, Google warns: “It is designed to trick you into entering personal data.”

The lesson here? Be more careful when downloading an app. Read user reviews. In this case, some people complained that the game locked them out of their Facebook accounts.

And it’s worth having some kind of malware-scanning service on your smartphone. (Avast, AVG, Bitdefender, ESET, Kaspersky and others make them.)

MOST READ
Don't miss the big stories. Like us on Facebook.
THE LATEST
Costco fans are begging for a new feature on the app

Big-box retailers like Costco encourage in-store purchases, but still offer online services, including their mobile app. According to some Costco shoppers on Reddit, the app is missing one very important feature.

Shooter attacked CDC headquarters to protest COVID-19 vaccines

Patrick Joseph White also had recently verbalized thoughts of suicide, which led to law enforcement being contacted several weeks before the shooting, Georgia Bureau of Investigation Director Chris Hosey said.

Fatal shooting at a Target in Texas leaves 3 dead, suspect detained

A gunman opened fire Monday in a Target store parking lot in the Texas capital, killing at least three people, then stole two cars during a getaway that ended with police using a Taser to detain him on the other side of the city, authorities said.

MORE STORIES