Although they all offered different legitimate functionality (pedometers, graphic editors, video editors, wallpapers, flashlights, file managers and mobile games), in fact, these applications worked the same way – they stole credentials from Facebook accounts.
Experts write that 25 applications were clearly created by one group of developers and contained code that determined which application the user had recently worked with. If it was discovered that this was Facebook, the malware would overlay the browser window on top of the real Facebook application and load the fake social network login page in that browser.
If the victim did not notice the forgery and entered his credentials on the phishing page, the malware saved them and sent them to a remote server located on the already defunct airshop.pw domain.
Currently, all malicious applications have already been removed from the Google Play Store, but experts say that some of them were available in the store for more than a year. A complete list of malware infected applications can be seen below.