As many as 1 million Facebook users were targeted with Android and iPhone malware apps that tried to steal their passwords, according to a report released by Meta on Thursday.
The malware, detected across the last year, masqueraded as various kinds of app, including fake photo editors, virtual private networks that claimed to boost browsing speeds and get access to blocked websites, mobile games, and health and lifestyle trackers. Some promised to turn the user’s face into a cartoon, while others provided horoscopes. Some of the apps made it through Apple and Google security and onto the tech giants’ official app stores, though Meta didn’t specify which ones.
The modus operandi of the malware was simple phishing, said David Agranovich, Meta’s director of threat disruption, during a press briefing on Meta’s report. Most of the apps asked for a Facebook login to use the app, which is typical of many apps. But in the background, the usernames and passwords, along with any two-factor authentication codes, were being sent to the app developers, who were looking for illegal access to Facebook accounts and nothing more, Agranovich said. “Our sense here is that this wasn’t kind of a specific geographically targeted thing. This was more an attempt to just get access to as many login credentials as possible,” Agranovich added.
Agranovich suggested that users should be wary of apps that require you to log in to Facebook to gain any functionality. “If a flashlight application is requiring you to login with Facebook before it gives you any flashlight functionality, there’s probably something to be suspicious of,” he said. He said reviews that repeatedly called out an app as a scam also provided a clue as to the legitimacy of the app.
He said that Meta would be warning 1 million users if they had been exposed to the apps in some way, though the company couldn’t definitively say whether or not all those users were infected. It was also unclear how Meta determined which accounts were possibly affected. Agranovich simply said the company has ways of detecting “signals,” that “help us understand if that account was compromised and if an attacker was gaining access to their accounts in a particular way.”
Meta said it had contacted Apple and Google about the research, though couldn’t say whether all the relevant apps had been removed.
Apple said that of the 400 total apps discovered, 45 were on iOS and they have been removed from the App Store.
Google said it had already detected and removed many of the apps over the last year before Meta sent out the alerts. A spokesperson added, “All of the apps identified in the report are no longer available on Google Play. Users are also protected by Google Play Protect, which blocks these apps on Android.”
Hi, I’m Oren, founder at BIGINTRO, a content strategy agency that helps B2B companies drive growth. We develop search, social, PR, and content marketing strategies tailored to business goals. I also have a dog named Milo.