Meta discovers 400 mobile apps to steal Facebook login credentials

Photo: Bernd Weißbrod/picture alliance via Getty Images

Meta will notify at least 1 million Facebook users that their login information may have been stolen if they downloaded one of hundreds of malicious mobile apps.

Driving the news: Meta’s security team released a report this morning detailing how more than 400 mobile apps posed as harmless tools, such as photo editors, to trick people into sharing their Facebook login credentials.

  • 355 of them were Android apps, while 47 were on iOS.
  • About 40% of apps were disguised as photo editing tools. The rest fell into a range of categories, including gaming, lifestyle, utilities, and virtual private networks.
  • The report was the product of an attempt at more regular security advisories from Meta’s security team.

How it works: Malicious actors create malicious apps, disguise them as mundane tools, and then publish them to mobile app stores.

  • After downloading the application, the user is prompted to create an account using the “Login with Facebook” function.
  • Once someone enters their login credentials, the underlying malware hidden within the app collects and steals that information.
  • This login information can be used to gain full access to someone’s Facebook account – or other accounts, if they use the same email and password combinations elsewhere.

Details: David Agranovich, director of threat disruption at Meta, told reporters that it was impossible for his team to determine the exact number of Facebook users who have fallen for this scam since the attack s is produced on their personal devices.

  • But Agranovich and his team identified at least a million potentially affected users, though he noted the company was “too cautious” with notifications.
  • Both Apple and Google told Axios that the malicious apps had been removed from their stores.

The big picture: More and more malicious actors are turning to rogue apps to steal login credentials or install spyware on someone’s device without their knowledge.

  • Although Apple and Google also have teams that carefully check apps downloaded from their stores, they can’t catch everything.

Be smart: Meta advises people to carefully consider the apps they request to connect to their Facebook account.

  • “If a flashlight app requires you to log in with Facebook before giving you flashlight functionality, that’s probably something to be wary of,” Agranovich said.

Sign up for the Axios Cybersecurity Codebook newsletter here.

Casey J. Nelson

Synagogues use mobile apps like Venmo to collect tzedakah – J.

Mobile apps: helping businesses connect with their customers

Fintech puts insurance on mobile apps from Indonesia to Vietnam

Bengaluru Auto Unions to launch its own mobile apps for ride sharing

Investall Announces Launch of AI-Powered Mandarin Chinese and Portuguese Website and Mobile Apps

Why are mobile apps becoming more important than your website?