Meta claims that over a year, it found 400 Facebook password-stealing apps on both Google’s Android and Apple’s iOS. The majority of them are trusted to have been shut down. However, the threat persists, Meta says.
As per the report published by Meta on Thursday, up to a million Facebook customers were targeted by Android or iPhone malware programs that tried to get their passwords.
The malware, which was discovered over the past year, disguised as a variety of apps that included fake photo editors’ virtual private networks, which claimed to improve browsing speed and allow access to restricted websites such as mobile games, as well as fitness and health trackers. Some claimed to turn-your-face cartoons or horoscopes, while others offered health and lifestyle information. The apps have all been approved by Apple and Google security and then onto the official storefronts for apps.
The method of operation used by the malware was straightforward David Agranovich, Meta’s director of threat disruption, in the press conference on Meta’s report. Most apps require a Facebook login to access the application, a common feature of many applications. The apps guided users through a legitimate Facebook login. Still, in the background, the passwords and usernames, together with all two-factor authentication codes, could be hacked by app developers seeking an illegal way to access Facebook accounts, but nothing more than that, according to Agranovich. “We assume that this was not a case of a targeted geographical issue. This was more of an attempt to gain access to as many login credentials as possible,” Agranovich added.
Agranovich advised users to be wary of applications requiring them to sign into Facebook to access any functions. “If an app for flashlights requires you to sign in to Facebook before it can provide you with any flashlight features, there’s likely to be something to be wary about,” he said. He added that reviews that consistently declared an app fraudulent also offered an indication of the authenticity of the application.
He stated that Meta would notify 1 million users that they were exposed to the applications in any way. Still, Meta couldn’t say definitively whether or not all users had been affected. It was not clear what method Meta identified the accounts that could be affected. Agranovich stated that Meta had methods to detect “signals” that “help us determine if an account was compromised or if an attacker gained access to their account in a certain method.”
Meta claimed it had spoken to Apple and Google regarding the findings; however, it couldn’t say whether all relevant apps were taken down.
Apple announced that out of the 400 apps found, 45 were running on iOS and were deleted from the App Store.
Google claimed it had identified and removed a number of the apps in the last year before Meta issued the warnings. A spokesperson said, “All applications listed in the report are now unavailable on Google Play. Users are secured by Google Play Protect, which stops these apps from running for Android.”