How liable are the stores for selling malicious apps? Should they not bear some responsibility for not thoroughly checking them first? And my friends wonder why I do not download apps.

How liable are the stores for selling malicious apps?

I think these were free apps, and the Google Play has Ts & Cs which switch the responsibility on the user, i'm sure.

Caveat emptor!

There is only one app i've downloaded outside of Google Play, and I was very cautious and did my research first. I suspect most people trust Google Play to review the apps, but, i think it's just too much, otherwise Google would have stopped these apps.
We all need to take some responsibility for our choices, although, with such apps as these, it just goes to show we have to keep our wits about us.

The culprit is webview, the pseudo "browser" that lets app developers show content as if in a browser but while still in the context of the app. Facebook is the first to abuse of this. It likes to keep it's user walled in to their app while displaying content from 3rd party linked content.

The real take-away is never let an app manage the sign in process to a 3rd party resource. If you want to sign in with your Facebook account, then sign in to Facebook from outside the app, with Facebook directly then go back to the app.

Federated logins are safe, in some respects safer than logging in directly to an app, as you don't have to provide any credentials directly to that app. But if an app manages to steal your credentials you have now provided them the keys to all the apps/websites for which you have used the federated login.