Today, we’re sharing an update on our work against malicious mobile apps available in the official Apple and Google app stores that are designed to compromise people’s Facebook accounts. We’ve shared our findings with industry peers, security researchers and policymakers to help us improve our collective defenses against this threat. Most importantly, because these apps were accessible in third-party app stores, we’re encouraging people to be cautious when downloading a new app that asks for social media credentials and providing practical steps to help people stay safe.
What We’ve Found
Our security researchers have found more than 400 malicious Android and iOS apps this year that were designed to steal Facebook login information and compromise people’s accounts. These apps were listed on the Google Play Store and Apple’s App Store and disguised as photo editors, games, VPN services, business apps and other utilities to trick people into downloading them. Some examples include:
- Photo editors, including those that claim to allow you to “turn yourself into a cartoon”
- VPNs claiming to boost browsing speed or grant access to blocked content or websites
- Phone utilities such as flashlight apps that claim to brighten your phone’s flashlight
- Mobile games falsely promising high-quality 3D graphics
- Health and lifestyle apps such as horoscopes and fitness trackers
- Business or ad management apps claiming to provide hidden or unauthorized features not found in official apps by tech platforms.
This is a highly adversarial space and while our industry peers work to detect and remove malicious software, some of these apps evade detection and make it onto legitimate app stores. We’ve reported these malicious apps to our peers at Apple and Google and they have been taken down from both app stores prior to this report’s publication. We are also alerting people who may have unknowingly self-compromised their accounts by downloading these apps and sharing their credentials, and are helping them to secure their accounts.
How Do These Apps Work?
Malicious developers create malware apps disguised as apps with fun or useful functionality — like cartoon image editors or music players — and publish them on mobile app stores.
To cover up negative reviews by people who have spotted the defunct or malicious nature of the apps, developers may publish fake reviews to trick others into downloading the malware.
When a person installs the malicious app, it may ask them to “Login With Facebook” before they are able to use its promised features. If they enter their credentials, the malware steals their username and password.
If the login information is stolen, attackers could potentially gain full access to a person’s account and do things like message their friends or access private information.
How You Can Stay Safe
There are many legitimate apps that offer the features listed above or that may ask you to sign in with Facebook in a safe and secure way. Cybercriminals know how popular these types of apps are and use these themes to trick people and steal their accounts and information.
Malware apps often have telltale signs that differentiate them from legitimate apps. Here are a few things to consider before logging into a mobile app with your Facebook account:
Here are a few examples of malware apps we found to provide no functionality until you log in with your social media account.
- Requiring social media credentials to use the app: Is the app unusable if you don’t provide your Facebook information? For example, be suspicious of a photo-editing app that needs your Facebook login and password before allowing you to use it.
- The app’s reputation: Is the app reputable? Look at its download count, ratings and reviews, including negative ones.
- Promised features: Does the app provide the functionality it says it will, either before or after logging in?
What to Do If You’re Affected
If you believe you’ve downloaded a malicious app and have logged in with your social media or other online credentials, we recommend that you delete the app from your device immediately and follow the following instructions to secure your accounts:
We also encourage people to report malicious applications that compromise Meta accounts to us through our Data Abuse Bounty program.
- Reset and create new strong passwords. Never reuse your password across multiple websites.
- Enable two-factor authentication, preferably using an Authenticator app, to add an extra security layer to your account.
- Turn on log-in alerts so you’ll be notified if someone is trying to access your account. Be sure to review your previous sessions to ensure you recognize which devices have access to your account.
Threat Indicators
Threat indicators are also available in CSV, TSV, and JSON formats at GitHub - facebook/malware-detection: Sharing indicators and methods for malware detection and prevention to help keep the Internet safe
Android Apps
Read more
Protecting People From Malicious Account Compromise Apps | Meta
More than 400 malicious Android and iOS apps this year targeted people to steal their Facebook login information.
about.fb.com
