Meta has identified over 400 malicious Android and iOS apps designed to steal Facebook login information and compromise people’s accounts.
These apps are disguised as photo editors, games, VPN services, business apps, and other utilities to trick people into downloading them. Some examples include:
- Photo editors, including those that claim to allow you to “turn yourself into a cartoon”
- VPNs claiming to boost browsing speed or grant access to blocked content or websites
- Phone utilities such as flashlight apps that claim to brighten your phone’s flashlight
- Mobile games falsely promise high-quality 3D graphics
- Health and lifestyle apps such as horoscopes and fitness trackers
- Business or ad management apps claim to provide hidden or unauthorized features not found in official apps by tech platforms.
How do these apps work?
Malicious developers create malware apps disguised as apps with fun or useful functionality — like cartoon image editors or music players — and publish them on mobile app stores.
To cover up negative reviews by people who have spotted the defunct or malicious nature of the apps, developers may publish fake reviews to trick others into downloading the malware.
When a person installs the malicious app, it may ask them to “Login With Facebook” before they can use its promised features. If they enter their credentials, the malware steals their username and password.
If the login information is stolen, attackers could gain full access to a person’s account and do things like message their friends or access private information.
How to protect Facebook accounts from malicious mobile apps?
Malware apps often have telltale signs that differentiate them from legitimate apps. Here are a few things to consider before logging into a mobile app with your Facebook account:
- Requiring social media credentials to use the app: Is the app unusable if you don’t provide your Facebook information? For example, be suspicious of a photo-editing app that needs your Facebook login and password before allowing you to use it.
- The app’s reputation: Is the app reputable? Look at its download count, ratings, and reviews, including negative ones.
- Promised features: Does the app provide the functionality it says it will, before or after logging in?
What to do if your Facebook account is compromised?
Suppose you believe you’ve downloaded a malicious app and have logged in with your social media or other online credentials. In that case, we recommend that you delete the app from your device immediately and follow the following instructions to secure your accounts:
- Reset and create new strong passwords. Never reuse your password across multiple websites.
- Enable two-factor authentication, preferably an Authenticator app, to add an extra security layer to your account.
- Turn on log-in alerts so you’ll be notified if someone is trying to access your account. Review your previous sessions to ensure you recognize which devices have access to your account.
- It’s also recommended to report malicious applications that compromise Meta accounts through the Data Abuse Bounty program.
What are the 400 malicious apps?
Meta provided a list of more than 400 malicious apps in a blog post so users can check to see if they have downloaded any of them. Some apps include Beauty Camera, Kangaroo VPN, Magic Horoscope, and QR Barcode Scanner.