Meta warns Facebook users about hundreds of apps in Apple and Google app stores that are specifically designed to steal credentials for the social networking app. The company says: it has identified more than 400 malicious apps disguised as games, photo editors, and other utilities and is notifying users who “unknowingly compromised their accounts by downloading these apps and sharing their credentials.” According to Bloombergpossibly a million users were affected.
In its post, Meta says the apps tricked people into downloading them with fake reviews and promises of useful functionality (both common tactics for other scam apps that try to take your money instead of your login credentials). But when opening some apps, users were asked to sign in with Facebook before they could actually do anything – if they did, the developers could steal their credentials.
Meta says it reported the apps to Google and Apple and removed them, but it’s still not a great look that they made it to stores in the first place. That’s especially true for Apple; the company has argued against sideloading apps for the iPhone for years, saying the ability to install apps that aren’t in the App Store is “a cybercriminal’s best friend.” It says the App Review process, which theoretically examines apps before making them available on the App Store, helped build a “trusted ecosystem for millions of apps.” Despite this, the company is struggling to control the scam apps on its platform, with some reportedly raking in millions of dollars.
To be fair, Facebook’s report indicates that the problem is significantly worse in the Play Store – of the 402 malicious apps on the list, 355 were for Android and 47 for iOS. Interestingly, the Android versions spanned a wide variety of genres from games, VPNs, photo editors, and horoscope apps, each for iPhone was related to managing business pages or ads. (This didn’t necessarily mean they weren’t fairly suspicious; it’s hard to see how “Very Business Manager” got past Apple’s App Review process.)
Neither Apple nor Google responded immediately The edge‘s request for comment.
When it comes to apps that try to steal your credentials, Meta’s message describes some good warning signs to watch out for – if the app doesn’t do what it says it does, locks down all functionality behind a login, or has tons of (possibly buried) negative reviews, it’s probably best to give it a pass and find another more reputable app.