Meta stated that it would share tips with potential victims on how to avoid being “re-compromised” by learning how to identify problematic apps. Meta Platforms Inc. announced that it would notify approximately 1 million Facebook users that their account credentials may have been compromised as a result of security issues with apps downloaded from Apple Inc. and Alphabet Inc.’s software stores.
This year, the company identified more than 400 malicious Android and iOS apps that target internet users in order to steal their login information, according to a statement released on Friday. Meta stated that it notified both Apple and Google of the problem in order to facilitate the removal of the apps.
Apple and Google have removed the apps from their respective stores, but they shouldn't have been there in the first place, said Meta
According to Facebook, the apps disguised themselves as photo editors, mobile games, or health trackers. Apple stated that 45 of the 400 problematic apps were available on its App Store and had since been removed. According to a Google spokesperson, all of the malicious apps in question were removed.
To be fair, Facebook’s report indicates that the problem is much worse on the Play Store — 355 of the 402 malicious apps on its list were for Android, while 47 were for iOS. Interestingly, while the Android ones included games, VPNs, photo editors, and horoscope apps, every single one for the iPhone was related to managing business pages or ads.
“Cybercriminals are aware of how popular these types of apps are, and they will use similar themes to dupe people and steal their accounts and information,” said David Agranovich, Meta’s director of global threat disruption. “If an app promises something that appears to be too good to be true, such as unreleased features for another platform or social media site, chances are it has ulterior motives.”
For example, a typical scam would unfold after a user downloaded one of the malicious apps. Beyond basic functionality, the app would require a Facebook login, duping the user into providing their username and password. Users could then upload an edited photo to their Facebook account, for example. However, they unknowingly compromised their account by granting the app’s author access.
Meta stated that it would share tips with potential victims on how to avoid being “re-compromised” by learning how to spot problematic apps that steal credentials, whether for Facebook or other accounts. The malicious activity occurred outside of Meta systems, according to Agranovich, who added that not all 1 million people’s passwords were necessarily compromised.