Hooked to playing adventure games on your smartphone or tablet? Was "Cowboy Adventure" - an Android game - also one of them? If you answered yes then you're in trouble.
Why? Researchers reveal that Cowboy Adventure has apparently compromised the Facebook login credentials of over a million users who downloaded the Android game.
This information has been divulged by ESET, a Slovakia-based antivirus service that published a post on Thursday, July 9, which detailed how the Cowboy Adventure app on the Google Play store was able to steal personal information of the users.
"With 500,000 - 1,000,000 installs, Cowboy Adventure was a relatively popular game on the Google Play store. That popularity in itself is unremarkable: however, the developers of the app also used it as a tool to harvest Facebook credentials, and that did raise a few eyebrows," noted ESET's malware researchers.
So how did Cowboy Adventure manage to "harvest" the information you wonder? The game created a fake login screen for Facebook where users were asked to key in their phone number or email, as well as the password. On doing so, the data was allegedly transferred to a server in Panama that belonged to the attackers.
ESET frequently scans popular apps and its engineers check-up on the apps' computer code for the presence of any undetected malware. It was during one such routine check that Lukáš Štefanko, ESET's computer researcher, spotted oddities in the Cowboy Adventure game app and exploring the code revealed that it had Vietnamese text.
Interestingly, Cowboy Adventure was not the only game which performed this fraudulent activity. Another game - Jump Chess - from the same developer Tinker Studio (surprise!) also did the same. Jump Chess was downloaded on nearly 5,000 Android devices before being pulled down from the Google Play store on July 2. Google has also removed Cowboy Adventure.
While a possibility exists that the developer Tinker Studio was careless, ESET's Robert Lipovsky is pretty darned sure that the attackers had criminal intentions.
"It's very unlikely that they were just dumb," says Lipovsky.
For those who downloaded Cowboy Adventure, it is recommended you change not only your Facebook password, but also for any other service that uses the same username and password.