More than one million Facebook users may have had their login details compromised by third-party scam apps, according to a report recently released by Meta.
The apps, which advertised themselves as “fun or useful” services such as photo editors, camera apps, and virtual private networks (VPNs), required users to “Log In with Facebook” before attempting to access private information.
All of the 400 apps were available on the App Store or Google Play, highlighting critical issues with the platform's anti-fraud prevention mechanisms. Here's a breakdown of what happened, as well as the apps which you need to avoid.
One Million Facebook Users May Have Compromised Accounts, Meta Warns
Malware researchers from Meta have recently unearthed a bunch of suspicious app activity linked to Facebook accounts. According to a report they recently released, they identified over 400 malicious Android and iOS apps that have been targeting Facebook users in a bid to steal their login information.
These apps required Facebook users to log in with the social media site before they could activate the application. However, most of these apps weren't actually functional and instead utilized Facebook's login features as a way to retrieve users' account information.
“Many of the apps provided little to no functionality before you logged in, and most provided no functionality even after a person agreed to login” – Meta researcher
The intentions of these scam apps aren't completely clear. But in Meta's recent blog post, the company speculated that after retrieving login information and gaining full access to a person's account, malicious actors could carry out worrying actions like messaging their friends or accessing private information.
Meta has notified all Facebook users who may have used the platform to log into these con apps. But if you suspect you could be in possession of a suspicious app, below we cover some major ones to look out for.
What malicious apps did Meta find?
According to Meta's cybersecurity researchers, most apps guilty of stealing credentials are camouflaged as “fun or useful” services such as photo editors, camera apps, VPN tools, fitness trackers, and astrology apps — especially those identified as coming from Google Play.
However, the report also revealed businesses should be more cautious about the legitimacy of iOS apps, as most of the scam apps circulating on Apple's App store focused on advert optimization and appeared to have a business-to-business (B2B) focus.
As revealed in the photo below, almost half of the scam apps claimed to be photo editors (42.6%), with business and phone utility being the second and third most popular categories for coverups (pictured below).
The full list of threat indicators can also be found in Meta's blog post or on github. However, some major Android apps include Cool Photo Editor, Cool Photo Editor, Text Camera, Video Converter Master, Meteor VPN, MuMus Music Player, and ProFlash, and iOS apps include FB analytic, Meta Ads, Ad Optimization Meta, and Ads & Business Suite.
Scam Apps Are Now Prevalent
Meta takes some accountability for this cyberscare, and explains that while using Facebook's interface to log into apps is useful in many ways, using an external account might be more secure. However, while Facebook's login mechanisms may be slightly at fault, Apple and Google should also be held accountable for letting hundreds of malicious apps fall through their nets, and be approved on the platforms in the first place.
Since Covid-19, instances of mobile app fraud have shot up exponentially, leaving an increasing number of smartphone users vulnerable to this emerging form of exploitation. In many cases, bad actors will use these apps to retrieve private information, such as addresses, telephone numbers, and even banking details.
This issue has become so widespread, that in June of last year the Washington Post revealed that out of the top 1,000 apps, around 2% were guilty of fraudulent activity. And while many of these applications remain fairly dormant, some more successful attempts have been downloaded millions of times.
In fairness to the App Store and Google Play, tackling this epidemic of scam apps is no easy feat, and they are making significant efforts to lower levels of fraud on their platforms. For instance, Apple blocked over 1.6 million apps considered to be problematic in 2021 alone.
However, as dodgy apps continue to evade security experts and successfully reach users, it's important that consumers do everything they can to protect themselves.
How to Avoid Mobile App Fraud
Image credit: Meta
According to Meta's release, if you believe you've been affected by one of these hoax apps, you should delete the app(s) from your device, reset and create stronger passwords, enable two-factor authentication and turn on log-in alerts so you'll receive notifications if your account is trying to be accessed.
If you don't think you've been struck but are keen to avoid breaches of this kind in the future, we advise thoroughly assessing any app's reputation before downloading it, looking out for promised features once you've opened the app, and reporting suspicious behavior as soon as you think an app may be illegitimate.