According to a report by Meta, nearly one million Facebook users have been targeted by malicious Android and iPhone apps that attempted to steal their passwords.
The malware, detected over the past year, posed as different kinds of apps, including fake photo editors, virtual private networks that claimed to boost browsing speed and allow access to sites Blocked webs, mobile games, and health and lifestyle trackers. Some promised to turn the user’s face into a cartoon, while others offered horoscopes. Some of these apps managed to pass Apple and Google’s security and end up in the tech giants’ official app stores, but Meta didn’t specify which ones.
The malware’s modus operandi was simple phishing, David Agranovich, director of threat disruption at Meta, said in a press briefing for Meta’s report. Most apps required a Facebook login to use them, which is typical of many apps. But in the background, usernames and passwords, along with two-factor authentication codes, were being sent to app developers, who sought to gain illegal access to Facebook accounts, and nothing more,” Mr. Agranovich said. “Our feeling is that this was not a geographically targeted operation. Rather, it was an attempt to gain access to as many login credentials as possible,” Agranovich added.
He suggested users be wary of apps that require logging into Facebook to get any functionality. “If a flashlight app asks you to log into Facebook before offering you this feature, there’s probably something to be wary of,” he said. He added that reviews that repeatedly label an app as a scam are also a clue to the app’s legitimacy.
He said Meta would notify one million users if they had been exposed to the apps in some way, although the company could not say for sure whether or not all of those users were affected. How Meta determined which accounts were likely to be affected is also unclear. Mr. Agranovich simply said that the company has ways of detecting “signals”, which “help us understand if this account has been compromised and if an attacker may have gained access to their accounts in a particular way”.
Meta said it had contacted Apple and Google about the search, but could not say whether all of the affected apps had been removed.
Apple said that of the total 400 apps discovered, 45 were on iOS and had been removed from the App Store.
Google said it had already detected and removed many of these apps over the past year before Meta sent out its alerts. A spokesperson added: “All apps identified in the report are no longer available on Google Play. Users are also protected by Google Play Protect, which blocks these apps on Android. »
Article translated from Forbes US – Author: Thomas Brewster
<<< Also read: Luxury in the Metaverse era: interview with Maximilian Schiefer of Chronoswiss, the watchmaker who is one step ahead >>>