Before being taken down, the 25 apps were collectively downloaded more than 2.34 million times. These include Video Maker, iPlayer, File Manager and Wallpaper apps.
The apps were all developed by the same threat group. They offered a function, but they also contained a malicious code. The malicious app detected the other applications running on the phone.
If the application was Facebook, the malicious app would overlay a web browser window on top of the official Facebook app and load a fake Facebook login page.
Once the user inputs his login details on the phishing page, the stolen details are sent to a remote server.