Photo: Bernd Weißbrod/Photo Alliance via Getty Images.
Meta will notify at least 1 million Facebook users that their login information may have been stolen if they download one of hundreds of malicious mobile apps.
News Management: Meta’s security team released a report this morning detailing how more than 400 mobile apps are harmless tools like photo editors that allow people to share their Facebook login details.
- 355 of them were Android apps and 47 were iOS apps.
- About 40% of the apps were disguised as photo editing tools. Others fell into a number of categories, including gaming, lifestyle, business services and virtual private networks.
- The report was produced after an attempt to provide regular security advice to the Meta security team.
How it works: Bad actors create malware, disguise it as simple tools, and then publish it on mobile app stores.
- After downloading the app, the user is prompted to create an account using the “Sign in with Facebook” feature.
- When someone enters their login details, the main malware embedded in the app collects and steals that information.
- These credentials can be used to gain full access to someone’s Facebook account or other accounts if they use the same email address. email and password combinations elsewhere.
Details: Deividas Agranovic, director of threat disruption at Meta, told reporters that it was impossible for his team to determine the exact number of Facebook users who fell for this scam since the attack took place on their personal devices.
- However, Agranovic and his team have identified at least one million potentially affected users, although he noted that the company is being overly cautious with the reports.
- Both Apple and Google told Axios that the malware had been removed from their stores.
Big picture: More bad actors are turning to malware to steal login credentials or install spyware on someone’s device without their knowledge.
- While Apple and Google also have teams that scrutinize apps uploaded to their stores, they can’t catch everything.
Be smart: Meta advises people to scrutinize apps that ask them to log into their Facebook account.
- “If a flashlight app requires you to sign in to Facebook to give you any flashlight functionality, it’s probably something to be suspicious of,” Agranovich said.
Sign up for Codebook, Axios’ cybersecurity newsletter, here.