Meta will notify at least 1 million Facebook users that their login information may have been stolen if they downloaded one of hundreds of malicious mobile apps.
Driving the news: Meta’s security team published a report this morning detailing how more than 400 mobile apps posed as innocuous tools, such as photo editors, to get people to share their Facebook login credentials.
- 355 of those were Android apps, while 47 were on iOS.
- About 40% of the apps were disguised as photo editing tools. The others fell into a range of categories including gaming, lifestyle, business utility and virtual private networks.
- The report was the product of an attempt at more regular security advisories from Meta’s Security Team.
How it works: Bad actors create malicious applications, disguise them as run-of-the-mill tools and then publish them onto mobile app stores.
- After downloading the app, a user is prompted to set up an account by using the “Login with Facebook” function.
- Once someone enters their login credentials, the underlying malware tucked into the app collects and steals that information.
- Those login credentials can be used to gain complete access to someone's Facebook account — or other accounts, if they use the same email and password combinations elsewhere.
Details: David Agranovich, Meta’s director of threat disruption, told reporters that it’s impossible for his team to determine the exact number of Facebook users who fell for this scam since the attack happened on their personal devices.
- But Agranovich and his team have identified at least one million potentially affected users, although he noted that the company is being “overcautious” with notifications.
- Both Apple and Google told Axios that the malicious apps have been removed from their stores.
The big picture: More bad actors have been turning to malicious applications as a way of stealing login credentials or installing spyware onto someone’s device without them knowing.
- While Apple and Google also have teams that carefully vet the apps uploaded to their stores, they can’t catch everything.
Be smart: Meta is advising people to carefully examine the applications they ask to connect to their Facebook account.
- “If a flashlight application is requiring you to log in with Facebook before it gives you any flashlight functionality, it’s probably something to be suspicious of,” Agranovich said.
Sign up for Axios’ cybersecurity newsletter Codebook here.