According to this Dr. Web article:
Doctor Web’s malware analysts have discovered malicious apps on Google Play that steal Facebook users’ logins and passwords. These stealer trojans were spread as harmless software and were installed more than 5,856,010 times... The applications were fully functional, which was supposed to weaken the vigilance of potential victims. With that, to access all of the apps’ functions and, allegedly, to disable in-app ads, users were prompted to log into their Facebook accounts.
The article goes on to describe how this was done:
With that, the displayed form was genuine. These trojans used a special mechanism to trick their victims. After receiving the necessary settings from one of the C&C servers upon launch, they loaded the legitimate Facebook web page https://www.facebook.com/login.php into WebView. Next, they loaded JavaScript received from the C&C server into the same WebView. This script was directly used to highjack the entered login credentials. After that, this JavaScript, using the methods provided through the JavascriptInterface annotation, passed stolen login and password to the trojan applications, which then transferred the data to the attackers’ C&C server. After the victim logged into their account, the trojans also stole cookies from the current authorization session. Those cookies were also sent to cybercriminals.
I understand little, but this method seems clearly different from the old trick of leading victims to a fake webpage and asking them to enter their passwords there. Also, whatever software was used to steal passwords from the real login pages had already been downloaded as (ostensibly) bona fide photo editing apps.
I probably wouldn't have fallen for the trick ("No ads just for logging in with Facebook? Really?") but a little more sophistication may have gotten me. Are there some telltale signs that I should be wary of to prevent this kind of thing from happening to me in the future? I will, of course, be careful to read user reviews on the Play Store.
