Meta warns Facebook users that dozens of malicious mobile apps have infiltrated users’ iPhones via the App Store and Android users via PlayStore. Security researchers have found hundreds of apps that could have compromised more than a million logins. The official statement says;
“were designed to steal Facebook login information and compromise people’s accounts”
While the company has uncovered more than 400 apps in total, only about 50 are from the iOS App Store, and all have been removed for sale. Meta reports that the apps, which were listed on the Google Play Store and Apple’s App Store as legitimate apps, were “disguised as photo editors, games, VPN services, business apps and other utilities to trick people into downloading them.”
The majority of apps were photo editors, specifically “those that claim to allow you to turn yourself into a cartoon,” followed by games, flashlight brightening apps, and VPNs. When installed on an iPhone, the apps ask users to Login With Facebook before they can use it. Once they do, hidden malware will steal their username and password and could use it to gain full access to their account.
Meta warns users who have downloaded the apps should delete them from their phone and change their Facebook password. The company also recommends enabling two-factor authentication and turning on login alerts so as to get notified if someone is trying to access your account. The company estimates that more than a million users may have fallen victim to the fake apps.
The apps were usually wrapped as photo editors, games and business apps, Meta said. There are many legitimate apps that offer similar features, the company said, noting that cybercriminals know these apps are popular and try to mimic them to trick people and steal their accounts and information.
After a user downloads the fake app, the app asks users to log in with Facebook using their usernames and passwords. If the information is stolen, attackers could gain access to a person’s account and access private information, Meta said. The company said users should be wary of any app that doesn’t work without providing a Facebook login and password.
“Our security researchers have found more than 400 malicious Android and iOS apps this year that were designed to steal Facebook login information and compromise people’s accounts. These apps were listed on the Google Play Store and Apple’s App Store and disguised as photo editors, games, VPN services, business apps and other utilities to trick people into downloading them.”