Meeta warned a million Facebook users on Friday that they had been “exposed” to seemingly innocuous smartphone apps designed to steal Facebook passwords.
So far this year, Meta has identified over 400 “malicious” apps tailored for smartphones powered by Apple or Android software and available in the Apple and Google app stores, according to David Agranovich, director of threat disruption.
“These apps were disguised as photo editors, games, VPN services, business apps, and other utilities on the Google Play Store and Apple’s App Store to trick people into downloading them,” Meta wrote in a blog post.
According to Meta’s security team, the apps frequently ask people to log in with their Facebook account information to use promised features, stealing usernames and passwords if entered.
“They are simply attempting to trick people into entering their login information in such a way that hackers can access their accounts,” Agranovich said of the apps.
“We will notify one million users that they may have been exposed to these applications; however, this does not imply that they have been compromised.”
More than 40% of the apps Meta listed involved image editing or manipulation, and some appeared to be as simple as using smartphones as flashlights.
“Our impression is that these types of malicious app developers try to target multiple services,” Agranovich said, adding that the app creators are likely after passwords to accounts other than Facebook.
“The targeting here appeared to be fairly indiscriminate — get people to download the applications all over the world in order to gain access to as many login credentials as possible.”
Meta stated that it shared its findings with Apple and Google, who control what is available in their respective app stores and each vets offerings.
According to AFP, only 45 of the 400 applications highlighted by Meta were on Apple’s operating system, and the company has already removed them from its app store.
According to Google, the majority of the apps flagged by Meta had already been identified and removed from the Play store by its own vetting systems.
According to an AFP spokesperson, “all of the apps identified in the report are no longer available on Google Play.”
“Google Play Protect, which blocks these apps on Android, also protects users.”