Thousands of Android users downloaded this password-stealing malware disguised as anti-virus from Google Play