Meta has issued a warning to 1 million Facebook users that their account information may have been compromised by third-party apps in Apple or Google stores. In a new report, the company’s security researchers say that last year they identified more than 400 fraudulent apps designed to hijack users’ Facebook account information.
According to the company, the apps come across as “fun or useful” services such as photo editors, camera apps, VPN services, horoscope apps, and fitness tracking tools. Apps often require users to “Log in with Facebook” to access promised features. But these login features are just a way to steal Facebook users’ account information. David Agranovich, Meta’s Director of Threat Corruption, says that many of the applications Meta describes are almost non-functional.
“Many of the apps provided little or no functionality before signing in, and again, many had no functionality at all even after someone agreed to sign in,” Agranovich told reporters during a briefing.
Meta says it has found malicious apps in both the Google Play Store and the Apple App Store, although the vast majority are Android apps. Interestingly, the malicious Android apps were mostly consumer apps like photo filters, while the 47 iOS apps were almost exclusively what Meta calls “business utility” apps. Named as “Very Business Manager”, “Meta Business”, “FB Analytic” and “Ads Business Knowledge”, these services specifically target people who use Facebook’s business tools.
Agranovich said Meta shared its findings with both Apple and Google, but removal of apps is ultimately up to the stores. Meanwhile, Facebook is issuing warnings to the 1 million people who may have used the apps. Notifications clearly indicate to users that their account information may have been compromised by an app. Meta recommends that those who receive this warning reset their passwords.