Meta Platforms has identified more than 400 malicious apps downloaded from Google’s Android and Apple’s iOS operating systems this year that aim to steal users’ Facebook log-in details, the company said on Friday.
The California-based technology company said it has reported the matter to Apple and Google and is helping potentially affected people. The warning is being issued to one million users, Bloomberg reported.
The apps were listed on the Google Play Store and Apple’s App Store and disguised as photo editors, games, VPN services, business apps and others to trick people into downloading them, Meta said.
When a person installs the malicious app, it may ask them to “log in with Facebook” before they are able to use its features. If they enter their credentials, the malware steals their username and password.
Attackers could then potentially gain full access to a person’s account and do things such as message their friends or steal private information.
“Because these apps were accessible in third-party app stores, we are encouraging people to be cautious when downloading a new app that asks for social media credentials,” said David Agranovich, director of global threat disruption at Meta.
“This is a highly adversarial space and while our industry peers work to detect and remove malicious software, some of these apps evade detection and make it on to legitimate app stores.”
Meta said the malicious apps have been taken down from both app stores by Apple and Google.
Malicious developers create malware apps with fun or useful functionality and publish them on mobile app stores. To cover up negative reviews by people who have spotted the defunct or malicious nature of the apps, developers may publish fake reviews.
In April last year, the personal data of more than half a billion Facebook users was made available to download free of charge on an online hacking forum.
The leak included millions of files containing users’ personal information such as usernames, phone numbers, marital status, locations, birth dates, email addresses and in some cases, complete bios.
What the malicious apps look like
- Photo editors, including those that claim to allow you to turn yourself into a cartoon
- VPNs purporting to boost browsing speed or grant access to blocked content or websites
- Phone utilities such as apps that claim to brighten your mobile device’s torch
- Mobile games falsely promising high-quality 3D graphics
- Health and lifestyle apps such as horoscopes and fitness trackers
- Business or advertising management apps claiming to provide hidden or unauthorised features not found in official apps from tech platforms
What to do if you are affected
- Reset and create new, strong passwords — never reuse your password across different websites
- Enable two-factor authentication, preferably using an Authenticator app, to add an extra layer of security to your account
- Turn on log-in alerts so you’ll be notified if someone is trying to gain access to your account