Innocent souls who wanted nothing more than to enjoy a game called "Cowboy Adventure" may have found their personal information compromised thanks to malware contained within the app.
Apparently, "Cowboy Adventure," which has since been removed from Google Play, produced a fake Facebook login screen. Users were prompted to enter their email or phone number along with their password. If they did so, their information was allegedly sent to a server belonging to the scammers.
If you've downloaded "Cowboy Adventure" -- between 500,000 and 1 million people did, according to ESET -- you should immediately change your password not just on Facebook, but any service that uses the same password as your Facebook account.
Robert Lipovsky, a senior malware research at ESET, told The Huffington Post that malware on Google Play is not unheard of.
"It happens more often than we’d hope," Lipovsky said via email. "Google does have security mechanisms in place to keep malware off the Play store (Google Bouncer) but the reality in computer security is that no technical solution is 100 percent bulletproof."
Jason Hong, an associate professor at Carnegie Mellon's school of computer science and head of PrivacyGrade -- a blog, run by researchers from Carnegie Mellon University, that rates the security of Android apps -- told HuffPost that this may just be the tip of the iceberg.
"This kind of thing is pretty easy to do, and we're lucky we haven't seen it a lot yet. It's pretty likely we'll see a lot more of it in the future though, because criminals are pretty good at copying each other once they see that something works," Hong said.
For what it's worth, Google quickly removed the "Cowboy Adventure" game as soon as the security issue was identified.
"While we don’t comment on specific apps, we can confirm that our policies are designed to provide a great experience for users and developers. That’s why we remove apps from Google Play that violate those policies," a spokesman told HuffPost.
App stores are often hosts to problematic apps, even if they aren't outwardly malicious -- that is, designed to harvest and exploit your personal information. For example, certain games have been found to use individuals' personal information or real-world location to target advertisements.
When you download an app from an official source, you're generally prompted to grant certain "permissions" to the app. That said, it's not always clear why: A game downloaded from Google Play might need access to "Wi-Fi connection information." The explanation given? "Allows the app to view information about Wi-Fi networking, such as whether Wi-Fi is enabled and names of connected Wi-Fi devices." You'd be forgiven for not really knowing what the heck that means.
For its part, Google is planning to overhaul how these permissions work in a new version of its Android operating system.
Meanwhile, Lipovsky recommends a few basic tips to stay safe: Download from official sources, like the Google Play store or Apple's App Store, and always make sure to read reviews from other users before you download. (A number of people had noticed and written about how sketchy "Cowboy Adventure" was before Google removed it.) You should also sign up for two-factor authentication on services that allow it -- that makes it harder for criminals to access your account with just your password, should it ever become compromised.