Meta has identified and listed hundreds of iOS and Android apps that threaten the cyber hygiene of approximately one million users. The company explained that these apps are designed to lure users by appearing to be useful, when in fact they have one goal: to steal Facebook usernames and passwords.
In a blog post, David Agranovich, Meta’s director of threat disruption and Ryan Victory, a malware detection and detection engineer, said the company has identified 400 mobile apps that appear to be useful but are actually malicious.
Around one million users are feared to have been compromised by these illegal apps, which appear to have “fun or useful features”. These programs include photo editorsVPN services that increase internet speed, high-graphics games, flashlight apps, lifestyle apps like fitness trackers, and business services like Facebook’s ad manager.
By far the largest share of fake apps (42.6%) were created as photo editors, offering functionality including but not limited to rendering and editing cartoons. “It’s a very hostile space, and while our industry colleagues are working hard to detect and remove malware, some of these programs escape detection and end up in legitimate app stores,” Meta said.
Credential theft apps for iOS and Android. | Source: Meta
Only downloading malware is unlikely to steal credentials. But many of the 400 apps offer “little or no functionality before signing in, and most don’t even after the person has agreed to join,” Agranovich told the press.
If users log into these apps using their Facebook credentials, their usernames and passwords are effectively compromised, exposing them to additional cyber attacks such as account takeovernot just Facebook.
See more: Found 1,859 mobile apps, mostly iOS, that store hard-coded AWS database credentials
Filling out credentials across multiple online platforms is also a major concern, especially with recent advances in bots or apps that can quickly perform automated and repetitive tasks.
Credential filling can become ineffective if different passwords are used for different online services. However, this can lead to password overload or password fatigue in the information age. According to Okta Business at work 2022 reportaverage in 2021 the number of organizations with implemented programs was 89, and as of 2016 increased by 24 percent
Individual users may personally use fewer online applications/services than corporate users. However, a study by the Ponemon Institute pointed out that more IT security professionals (50%) reuse passwords than individuals (29%).
Even as multi-factor authentication (MFA) catches on and organizations try to do so without password Get real, Verizon’s in 2022 data breach investigation report 80% of data breaches attributed to stolen credentials.
Agranovic and Victory highlighted some red flags that users should be aware of when it comes to password hygiene. “Malware programs often have telltale signs that distinguish them from legitimate programs,” the duo wrote. They include:
- Social media credentials are required for the app to work
- App reputation; pay attention to the number of downloads, ratings and reviews of the app
- Check if the app works after using the credentials
Of the 400 login-stealing apps identified by Meta, 47 were from Apple’s iOS App Store, and 355 from Google’s Android Play Store. Meta noted that these apps were also found in third-party app stores.
Google and Apple have removed the apps from their respective app stores, but that doesn’t help users who have already downloaded any of the 400 apps and signed in with their Facebook credentials.
It would be wise to uninstall the program (listed here) and immediately change your password on Facebook and any other online app/service/platform where a similar password has been used. Users should also enable login alerts and use 2FA with an authenticator, as cellular 2FA that uses one-time passwords can be hijacked in SIM-swapping attacks.
Let us know if you enjoyed reading this news LinkedIn, Twitteror Facebook. We’d love to hear from you!
Image source: Shutterstock
MORE ABOUT THE MOBILE APP AND CREDENTIALS SECURITY