The apps tricked users by loading a legitimate Facebook sign-in page, but then also loaded JavaScript to hijack credentials. They also stole cookies from the authorization session.