Meta warns Facebook users that it has found hundreds of iOS and Android apps that can steal their login credentials.
Facebook owner Meta issued a warning for Facebook users on iOS and Android devices, saying it has identified more than 400 malicious apps designed to steal Facebook login credentials. MacWorld reported.
The company said in a blog entry that it has reported its findings to both Apple and Google and that they are helping those who could have been affected by these apps so they can protect their accounts.
Meta's security researchers found that these malicious apps can be found in both the official iOS App Store and Google Play Store, as well as third-party app download sites.
Once downloaded and installed, these apps will ask users if they want to log in using their Facebook accounts. Those who agree to logging in using Facebook run the risk of having their credentials stolen in the process.
The malicious apps are disguised in seemingly harmless forms, such as the following:
- Photo editor apps, including those claiming that it allows users to "turn yourself into a cartoon."
- Mobile games supposedly featuring high-quality 3D graphics.
- Phone utilities apps such as flashlight apps boasting of increased brightness.
- VPN apps saying they increase browsing speed, or allow users to access to blocked content or websites.
- Health and lifestyle apps like fitness trackers and horoscopes.
- Business or ad management apps boasting hidden or unauthorized features official apps from tech platforms do not have.
Meta said that of the malicious apps, 42.6% are Photo Editors, 15.4% are Business Utility apps, 14.1% are Phone Utility apps, 11.7% are Mobile Game apps, 11.7% are VPNs, and 4.4% are Lifestyle apps.
Here's how the said malicious apps work:
First, the developers of such malicious apps disguise them as "fun" or "functional" apps-like music players or cartoon image editors-that users will like and enjoy using. They then publish these on varied app stores like Apple's and Google's.
Next, they pepper App Store listings with fake reviews supposedly promoting the malicious apps' features. They also do this to counter negative reviews from users who have found that these apps are defunct or not as good as advertised.
Once a user gets tricked into believing the reviews and downloading the app and installing it, the malicious app will try to get the user to login using their Facebook account before using its promised features.
If the user logs in using his or her Facebook, the app steals the login credentials and passes it on the malicious developer who, in turn, gains access to the user's Facebook account for whatever purposes such as sending messages.
