Social notworking company Meta warned has found more than 400 malicious apps available on Apple and Android devices. These apps pretended to offer mobile games, photo editing, fitness tracking or even to brighten a phone's flashlight. Facebook users who might have logged into the social network on a malicious app will receive a security notice that includes steps they can take to protect their accounts. Some of those steps include resetting their Facebook password, adding an extra layer of security known as two-factor authentication and turning on alerts so users know when someone has tried to sign into their Facebook accounts.
Meta's director of Threat Disruption David Agranovich said there are benefits to logging into apps through Facebook or other account providers. It reduces the need for people to create multiple accounts where a username or password may be reused on other sites. Logging into an app through another account also creates an extra layer of authentication,.
But in this case, scammers were trying to dupe people into downloading an app with malicious software that steals their Facebook username and passwords. The apps prompted people to log into their Facebook accounts. While there are legitimate apps that ask for Facebook login information, there are also harmful ones that evade detection and make it onto app stores.
"To avoid detection, threat actors will often carry their activity across different sites, which makes cross industry collaboration like this all the more critical."
Agranovich said it's tough for Meta to tell if a user has provided their Facebook login information to a malicious app or merely downloaded the app but never logged into it. Meta looks at various signals, he said, to determine if a Facebook user's account may have been compromised and if an attacker broke into their account in a particular way.
Google and Apple spokespeople said all of the malicious apps Meta identified in the report have been removed. More than 350 of the malicious apps were available on Android devices. The search giant has a service called Google Play Protect that checks Android devices for potentially harmful apps.