• Meta has published a report that identifies hundreds of iOS and Android apps that steal Facebook user login information.
• These apps mascarade as utilities like photo editors or mobile games to trick users into downloading them.
• Once credentials are stolen, threat actors can gain full access to Facebook accounts and get their hands on even more personal user information.

Just like in the real world, social media can be a dangerous place filled with unscrupulous people and your private information sells like gold to the highest bidder. To aid users in protecting themselves, Meta has released a report identifying over 400 malicious Android and iOS apps that steal your Facebook login information when downloaded.

“Today, we’re sharing an update on our work against malicious mobile apps available in the official Apple and Google app stores that are designed to compromise people’s Facebook accounts,” reads the report from David Agranovich, director, Threat Disruption and Ryan Victory, Malware Discovery and Detection Engineer at Meta.

The team found that these apps were listed on the Google Play Store and Apple’s App Store and often disguised as photo editors, mobile games, VPN services, business apps and other utilities designed to fool people into downloading and installing them.

Meta points to these examples of malicious apps that steal your Facebook login credentials once inputted:

Other examples include:

• Photo editors, including ones where users can “turn themselves into a cartoon.” These have become very popular as of late.
• False VPN apps that claim to “boost browsing speed” and allow access to blocked content or websites.
• Phone utilities such as flashlight apps claim to increase your phone’s brightness.
• Mobile games that promise 3D graphics but are actually fake.
• Heath and fitness apps like fitness trackers and even horoscope apps.
• Business apps.
• Ad management apps.

Meta says that most malicious data-stealing apps were fake photo editors at 42%, followed by business utility apps at 15.4%, and phone utility apps at 14.1%. The next most common were fake games and VPN apps at 11.7%, and finally lifestyle apps at 4.4%.

Malicious developers choose popular apps to replicate, knowing users will be fooled into downloading fun or useful apps like image editors or games. Once published these developers may even go as far as posting fake reviews to cover up negative ones.

When a user installs one of these apps, they will be asked to “Login with Facebook” to use features of the app, only to have their credentials, like usernames and passwords stolen by malware embedded in the fake apps.

Once stolen attackers can readily gain access to personal accounts and message friends and family you are linked with. Usually, these will be chain messages, or adverts, or even links to malicious sites or apps.

Some attackers will even try to gain personal information from your Facebook pages. This information is often sold on the dark web in terabytes for millions of dollars.

“This is a highly adversarial space and while our industry peers work to detect and remove malicious software, some of these apps evade detection and make it onto legitimate app stores,” the report says.

The pair says that Meta has reported these apps to Apple and Google and many of the apps have been removed from both app stores. Meta says it is also alerting people who may have unknowingly self-compromised their accounts by downloading one of the malicious apps.

It says that targeted users are being helped to re-secure their accounts. Users that believe they may have been affected and that their credentials have been stolen are urged to delete the suspected app from their devices immediately and reset their Facebook passwords.

Extra safety layers like two-factor authentication and turning on login alerts, to be notified if someone else logs into your account, are also recommended.

[Image – Brett Jordan on Unsplash]