Facebook will alert 1 million users on Friday that they may have unknowingly revealed login credentials to malicious Android or iOS apps.
The warning follows the release of Facebook parent company Meta’s first security report on malicious apps targeting login information. The report identifies 400 mobile applications across the Google Play and Apple App store that posed as harmless lifestyle and business apps to dupe users.
Once installed, the apps prompted users to “Login with Facebook” and enter their credentials. Doing so gives the attacker access to their Facebook account and potentially any other accounts that share the same login credentials. If an individual had two-factor authentication enabled they may have been asked by the threat actor to provide that code as well for access.
Because an account compromise happened through the malicious app, and not Facebook, the company is unable to say how many users were compromised. Instead, the company is relying on signals like on-platform behavior and how it correlates with behavior demonstrated by the malicious apps to determine which users will receive a notification.
“We’re being overcautious here,” David Agranovich, director of threat disruption, told reporters in a call. He noted that many of the apps didn’t just target Facebook credentials.
Facebook said it alerted Apple and Google to its findings prior to publishing the list of apps. Both companies told CyberScoop said that the apps flagged by Facebook had been removed from their respective stores.
Scammers appeared to be indiscriminate in their targeting, said Agranovich. Nearly half of the apps presented themselves as photo editing tools and many others as business apps such as VPNs with names like “Bamboo VPN” and “Free VPN Master.” Meta researchers also found one app that promised to make the flashlight on your phone brighter.
Only 46 apps uncovered by Facebook were iOS apps and nearly all of them claimed to offer advertising management tools for Facebook pages. Agranovitch said that scammers may have been looking for access to accounts’ pages or advertising accounts to further perpetuate scams.
Alongside the alert, Facebook is offering tips to users on how to differentiate bogus apps from legitimate ones. That includes looking for negative reviews and low downloads and questioning why an app would be asking for Facebook permissions in the first place.
What makes these particular scams tricky is that they follow users across platforms — from an app store to a mobile device to Facebook. That means no individual platform gets the full picture of the fraudsters’ activities.
“Hopefully, that notification will give them pause when they encounter a suspicious login attempt,” said Agranovich. “Many of these applications don’t just target Facebook credentials, they target credentials across a variety of different internet services.”
Facebook has gone after scammers in the past by suing hosting companies that hosted spammy URLs posing as the company.