Meta has identified more than 400 malicious apps designed to steal Facebook login credentials. One million people have downloaded these apps.
“We have identified over 400 malicious Android and iOS apps that target people on the internet to steal their Facebook login information“. Here is the finding, relayed by AFP, published by Meta, Facebook’s parent company, on October 7, 2022.
The group estimates that a million users of the social network have already downloaded or used these apps presented as harmless, but in reality, intended for stealing passwords. It should be kept in mind, however, that this does not necessarily mean that these 1 million people have necessarily been hacked and that their password has been compromised, as we have read.
Fake photo editors, VPN services, or utilities
What kind of application is it? “These apps were listed on Google’s Play Store and Apple’s App Store and advertised themselves as photo editors, VPN services, business apps, and other utilities to trick people into downloading them.” Meta in its press release. The list includes, for example, flashlight apps, horoscope apps, and fitness apps. Apps presented as photo editors alone represent 42% of malicious applications identified by Meta.
When installing these applications, Internet users were asked to log in with their Facebook accounts. This step gave the impression of being a prerequisite to then being able to access the promised service. However, sharing this information actually allowed the malware to retrieve login credentials.
Malicious apps have been removed from the stores
Normally, you should no longer find these applications in the store of your smartphone. Meta says it “reported these malicious apps to [its] counterparts at Apple and Google and they were removed from two app stores prior to the publication of this report“. Obviously, we are not immune to the fact that other similar applications still exist, or that their creators put them back online under other names. This is why it is recommended to remain cautious and scrutinize a few elements when downloading a new app requiring a connection using a Facebook account.
For example, if the app is unusable if you don’t give your Facebook credentials, that might be a reason to be suspicious. Also remember to take a look at the comments on the store, to judge the reputation of the service. Also, check if the app provides the promised features.
What to do if you gave your Facebook password to a malicious app?
What to do if you think you have used a malicious application, using your Facebook credentials (or those of other social networks)? Meta advises:
- To delete the application from your smartphone,
- Reset your Facebook password by choosing a strong password. Do not use the same password on multiple sites,
- Enable two-factor authentication on Facebook,
- And, to activate connection alerts, to be aware if someone tries to connect to your account.
The list of malicious applications identified by Meta on iOS and Android is accessible at the end of the press release published by the group.