Meta is warning 1 million Facebook users that third-party apps from the Apple or Google app stores may have compromised their account information.
According to a new report, the company’s security researchers have identified more than 400 scammy apps designed to steal users’ Facebook account credentials in the last year.
The apps are disguised as “fun or useful” services, such as photo editors, camera apps, VPN services, horoscope apps, and fitness tracking tools, according to Meta. Users are frequently required to “Log In with Facebook” before they can access the promised features.
However, these login features are used to steal Facebook users’ account information. And David Agranovich, Meta’s Director of Threat Disruption, pointed out that many of the apps identified by Meta were barely functional.
“Many of the apps provided little to no functionality before you logged in, and most provided no functionality even after a person agreed to login,” Agranovich told reporters.
Of note, Meta found malicious apps in both Google’s Play Store and Apple’s App Store, though the vast majority were Android apps. Interestingly, while the malicious Android apps were mostly consumer apps, like photo filters, the 47 iOS apps were almost exclusively what Meta calls “business utility” apps.
These services, with names like “Very Business Manager,” “Meta Business,” “FB Analytic” and “Ads Business Knowledge,” seemed to be targeted specifically at people using Facebook’s business tools.
Agranovich stated that Meta informed both Apple and Google of its findings, but that it was ultimately up to the stores to ensure the apps were removed. Meanwhile, Facebook has sent out warnings to 1 million people who may have used the apps.
The notifications notify users that their account information may have been compromised by an app — it does not specify which one — and recommend that they reset their passwords.
Apple and Google both confirmed that all of the apps identified by Meta had been removed from their respective app stores.
“All of the apps identified in the report are no longer available on Google Play,” A Google spokesperson said in a statement. “Users are also protected by Google Play Protect, which blocks these apps on Android.”