Meta has uncovered over 400 mobile apps that’ve been designed to trick users into giving up their login information, including two-factor authentication codes.
The company’s malware-detection team discovered the malicious Android and iOS apps this past year while investigating cyber threats facing Facebook. Meta says it’s hard to estimate how many users may have downloaded the apps or given up their login credentials as a result, but the company plans on alerting suspected victims.
“So we’re being overcautious here. We will notify one million users that they may have been exposed to one of these applications,” David Agranovich, director of threat disruption at Meta, said in a briefing with journalists. He added that the apps targeted people indiscriminately.
The malicious apps masqueraded as legitimate programs such as photo editors, VPNs, games, or even flashlight apps. However, they would also demand the user sign in with an account for Facebook or another platform.
“Many of the apps provided little to no functionality before you logged in,” Agranovich said. “Most provided no functionality even after you logged in." But the login prompt could steal whatever username, password, and two-factor authentication code that was entered. Hackers could then use the stolen access to perpetuate other scams.
The apps also managed to bypass Google Play Store and Apple App Store safeguards to get listed. According to Meta’s report, 42.6% percent of the malicious apps posed as photo editors, while 11.7% pretended to be VPNs. Meanwhile, the affected apps on iOS focused on offering business utilities with names such as "Business Manager Pages" and "Ad Optimization Meta."
“Cybercriminals know how popular these types of apps are, and they’ll use similar themes to trick people to steal their accounts and information” Agranovich added.
Meta has already reported its findings to both Apple and Google.
Google tells PCMag: "All of the apps identified in the report are no longer available on Google Play. Users are also protected by Google Play Protect, which blocks these apps on Android." The company adds that the majority of the malicious apps mentioned in Meta's report were already identified and pulled from Google Play by the company earlier in the year.
Apple says all 45 malicious iOS apps were also removed from the company's app store. It adds that it has zero tolerance for fraud and malicious activities on the App Store.
Meta’s report has a full list of the affected apps, the vast majority of which are Android apps.
To protect yourself, Meta encourages users to look at the reviews of an app before downloading. Negative reviews, in particular, might mention if the app is a scam or not. It’s also a good idea to avoid apps that demand you log in with an official Facebook, Google, or Apple account in order to gain access to all the features.
Agranovich added: “Does this request to log in with Facebook make sense? If a flashlight application is requiring you to log in with Facebook before it gives you any flashlight functionality, that’s probably something to be suspicious of.”
To determine which users may have been exposed to threat, Agranovich said Meta will look at factors such as evidence that their account may have been compromised or accessed in a particular way.