Security researchers at Meta Inc. have found more than 400 “scammy apps” by developers on Google Play Store and Apple Appstore designed to hijack users’ Facebook account credentials.
Meta’s team confirmed these apps often prompt users to “Log In with Facebook” before they can access the certain features. Such apps, according to the company, are disguised as “fun or useful” services, like photo editors, camera apps, VPN services, horoscope apps, and fitness tracking tools.
The company’s Director of Threat Disruption, David Agranovich, who noted that many of the identified apps “were barely functional”, also explained that they provided little to no functionality before you logged in.” According to him, “Most provided no functionality even after a person agreed to login.”
Meta is therefore warning as many as 1 million Facebook users (see image below) that their account information may have been compromised by third-party apps from Apple or Google’s stores.
Most of these apps, according to the researchers, were malicious apps in both Google’s Play Store and Apple’s App Store, though the vast majority were Android apps.
An Engadget reporter, who was part of the briefing, noted that the malicious Android apps were mostly consumer apps, like photo filters, the 47 iOS apps were almost exclusively what Meta calls “business utility” apps. These services, with names like “Very Business Manager,” “Meta Business,” “FB Analytic” and “Ads Business Knowledge,” seemed to be targeted specifically at people using Facebook’s business tools.
Agranovich who happened to have led the briefing said his company has shared its findings with the intermediaries – Apple and Google. “It was ultimately up to the stores to ensure the apps are removed,” the Director added.
What are the victims supposed to do?
Incase you’re part of the 1 million who received Facebook’s warning then it’s possible you have installed or interacted with any of these malicious apps, and most likely your account info may have been compromised.
Step 1: Delete (from your device) any app you think requested “Log In with Facebook” before you could gain access.
Step 2: Change your Facebook password and enable two-factor authentication, preferably using an Authenticator app.
Step 3: Turn on log-in alerts so you’ll be notified if someone is trying to access your account.
Furthermore, Engadget has confirmed that both Apple and Google have removed all of the apps identified by Meta from their respective app stores.
“All of the apps identified in the report are no longer available on Google Play,” A Google spokesperson said in a statement.
The spokesperson went on to say that users are also protected by Google Play Protect, which blocks these apps on Android.
