Meta said it has notified a million Facebook users that their usernames and passwords may have stolen after downloading one of over 400 malicious Android and iOS smartphone apps.
The apps were discovered in the Google Play Store and Apple’s App Store over the course of the last year, posing as popular kinds of apps.
According to Meta, four in ten of the apps posed as photo editors, while others posed as games, VPNs, health trackers, business applications, flashlight enhancers and other services to trick users into downloading them.
Users who downloaded the malicious apps were asked to login with their Facebook account before they could use the features they were promised – and if the user entered their username and password, it handed their credentials to the attackers.
And even if they do this, many of the apps were useless and did not provide the functions they advertise – because at this point the attackers have already got what they wanted.
With stolen login information, attackers can gain access to a person’s account, providing them with the ability to access private information, or send malicious phishing messages to the victim’s contacts. And if the victim also uses their Facebook account to login to other applications and services, the attackers will also be able to access those – and potentially gain access to additional sensitive data.
Because the downloads have been made outside their own ecosystem, Meta can’t be certain how many people have installed the malicious apps – but the company has notified around a million users they may have been put at risk.
“In this case we are being kind of over broad, over cautious and notifying anyone we think may have been exposed to applications like this, which is about a million people,” David Arganovich, global director of threat disruption at Meta told ZDNET.
The notifications have two aims – one is to inform people they’ve downloaded a malicious app and tell them what steps they should take to secure their account if they’ve entered their login details. The second is to warn people who’ve potentially downloaded the apps and are yet to enter their account details that they shouldn’t do this.
If the attackers have access to Facebook account, they also have freedom to change the password and lock the victim out – and Meta says that when this has happened, it’s worked to restore access to the user.
“We’re also taking steps in the course of our investigation to remediate accounts where we can that do appear to have been compromised and restore access for users who might have actually lost access to their account,” said Arganovich.
Meta is also providing advice to users on how to spot a malicious app. The suggested telltale signs include apps asking for social media credentials – especially if there’s no need for the app to need this. Another sign is the developer advertising features that the app doesn’t have. A string of poor reviews with complaints that the app doesn’t work as advertised could be a key sign that something isn’t right.
“I’d encourage people to look at the app store reviews particularly the negative reviews, because you may see people explicitly calling out the fact that the app was a scam, that their account may have been hacked, or that it was otherwise misleading, and it’s functionality or purpose,” Agranovich said.
If users suspect they’ve downloaded a malicious app which has provided cyber criminals with their login information, it’s recommended that they create a new, strong password – one that isn’t used across multiple websites.
It’s also recommended that users apply multi-factor authentication (MFA) to their Facebook account in order to provide an extra barrier to unauthorized logins. Users should also turn on login alerts for notifications that someone could be trying to access their account.
Facebook has detailed a list of the malicious apps for Android and iOS in their security warning about accounts being compromised. The company also reported the findings to Google and Apple.
“All of the apps identified in the report are no longer available on Google Play. Users are also protected by Google Play Protect, which blocks these apps on Android,” a Google spokesperson told ZDNET. The apps have also been removed from the Apple App store.
MORE ON CYBERSECURITY