Meta’s security researchers have identified more than 400 malicious apps on the App Store and Play Store that have reportedly targeted one million users to steal their Facebook login credentials.
Meta highlights the epidemic of scam apps across app marketplaces
In a new blog post, Meta went into depth about the issue of fake apps on iOS and Android that were designed to steal Facebook login information and compromise users’ accounts. The malicious apps were disgusted as photo editors, games, VPN services, etc. Meta mentions some examples:
- Photo editors, including those that claim to allow you to “turn yourself into a cartoon”
- VPNs claiming to boost browsing speed or grant access to blocked content or websites
- Phone utilities such as flashlight apps that claim to brighten your phone’s flashlight
- Mobile games falsely promising high-quality 3D graphics
- Health and lifestyle apps such as horoscopes and fitness trackers
- Business or ad management apps claiming to provide hidden or unauthorized features not found in official apps by tech platforms.
Now, let’s talk about how these scam apps stole login credentials for numerous Facebook accounts. When a user installs a malicious app, it may prompt them to “Login With Facebook” before they can use the features. If they enter their credentials, the scam app and the malware it contains, steal the username and password.
If the login credentials of a user have been compromised, attackers will have full access to their Facebook account, and their private information and they will even be able to send their friends messages via Messenger.
The company asks users to look at three things before logging into a mobile app with their Facebook accounts:
- Requiring social media credentials to use the app: Is the app unusable if you don’t provide your Facebook information? For example, be suspicious of a photo-editing app that needs your Facebook login and password before allowing you to use it.
- The app’s reputation: Is the app reputable? Look at its download count, ratings, and reviews, including negative ones.
- Promised features: Does the app provide the functionality it says it will, either before or after logging in?
If you are affected, Meta advises you to reset and create new strong passwords, enable two-factor authentication and turn on log-in alerts.
It is important to note that the company’s blog post does not mention how many users were affected, however, reports from reputable publications such as Bloomberg, claim that one million Facebook users will be notified by Meta that their credentials have been compromised.
Meta has also reported its findings to Apple and Google and the malicious apps it discovered have been taken down from the App Store and Play Store.