A million Facebook users might have provided their usernames and passwords to harmful apps designed to help scammers take over their accounts, Facebook parent company Meta said Friday.
The social media giant said it found more than 400 malicious apps available on Apple and Android devices. These apps pretended to offer mobile games, photo editing, fitness tracking or even to brighten a phone’s flashlight. Facebook users who might have logged into the social network on a malicious app will receive a security notice that includes steps they can take to protect their accounts. Some of those steps include resetting their Facebook password, adding an extra layer of security known as two-factor authentication and turning on alerts so you know when someone has tried to sign into their Facebook accounts.
Meta’s findings underscore the risks that could come with providing your Facebook account information to log into apps. David Agranovich, Meta’s director of Threat Disruption, said there are benefits to logging into apps through Facebook or other account providers. It reduces the need for people to create multiple accounts where a username or password may be reused on other sites. Logging into an app through another account also creates an extra layer of authentication, he said.
In this case, scammers were trying to dupe people into downloading an app with malicious software that steals their Facebook username and passwords. The apps prompted people to log into their Facebook accounts. While there are legitimate apps that ask for Facebook login information, there are also harmful ones that evade detection and make it onto app stores.
“The reality is a lot of these scams don’t start and end on one platform,” Agranovich said. “To avoid detection, threat actors will often carry their activity across different sites, which makes cross industry collaboration like this all the more critical.”
Agranovich said it’s tough for Meta to tell if a user has provided their Facebook login information to a malicious app or simply downloaded the app but never logged into it. Meta looks at various signals, he said, to determine if a Facebook user’s account may have been compromised and if an attacker broke into their account in a particular way.
Google and Apple spokespeople said all of the malicious apps Meta identified in the report have been removed. More than 350 of the malicious apps were available on Android devices. The search giant has a service called Google Play Protect that checks Android devices for potentially harmful apps.
Once an attacker steals someone’s Facebook username and password, they can use that information to take over their account and get more personal information about the victim. They can also use the compromised account to message the victim’s friends to scam them out of money or purchase ads to dupe others.
Protecting your Facebook account
Meta provided a list of the more than 400 malicious apps on a blog post so users can check to see if they have downloaded any of them. Some of the apps have names such as Beauty Camera, Kangaroo VPN, Magic Horoscope, QR Barcode Scanner.
About 43% of the malicious apps were for photo editing.
Meta outlined some red flags users should look out for before logging into an app with their Facebook account.
Some of these signs include requiring social media login information to use the app.
“For example, be suspicious of a photo-editing app that needs your Facebook login and password before allowing you to use it or an app that asks you to log in with Facebook to remove ads,” Meta said in its report.
People can also look at whether an app has negative reviews but attackers can also publish fake ones so that strategy doesn’t always work. Some of the apps promised to provide features after logging in with your Facebook account, but once people did, the app was useless.
Facebook users can also report malicious apps to the company online.