A woman looks at her smartphone with concern. Image: Getty/Enes Evren
Meta said it notified one million Facebook users that their usernames and passwords may have been stolen after downloading one of more than 400 malicious apps for Android and iOS smartphones.
The apps have been discovered in the Google Play Store and Apple’s App Store over the past year, presenting themselves as popular types of apps.
According to Meta, four in ten apps pose as photo editors, while others pose as games, VPNs, health trackers, business apps, flashlight boosters and other services. to entice users to download them.
Users who downloaded the malicious apps were prompted to log in with their Facebook account before they could use the features they were promised – and if the user entered their username and password, they got handed over his credentials to the attackers.
And even if they did, many apps were useless and didn’t provide the functions they advertise – because by this point the attackers have already gotten what they wanted.
With stolen login credentials, attackers can gain access to someone’s account, allowing them to access private information or send malicious phishing messages to the victim’s contacts. And if the victim also uses their Facebook account to log into other apps and services, attackers will be able to access that as well – and potentially access additional sensitive data.
Also: Security Researcher Easily Caught My Passwords and More: How My Digital Fingerprints Left Me Surprisingly Overexposed
Since the downloads were made outside of their own ecosystem, Meta can’t be sure how many people installed the malicious apps, but the company has informed about one million users that they may have been put in danger.
“In this case, we’re being a little too broad, too cautious, and telling anyone we think has been exposed to apps like this, which is around one million people,” David Arganovich, global director of threat disruption at Meta.
The notifications serve two purposes: one is to inform people that they have downloaded a malicious application and to tell them what steps they should take to secure their account if they have entered their login information. The second is to warn people who have potentially downloaded the apps and have not yet entered their account details that they should not.
If the attackers have access to the Facebook account, they also have the freedom to change the password and lock out the victim – and Meta says when that happened it worked to restore access to the user.
“We are also taking steps during our investigation to fix accounts where we may appear to have been compromised and restore access for users who may have actually lost access to their account,” Arganovich said.
Meta also provides tips for users on how to spot a malicious application. Suggested tell-tale signs include apps asking for social media credentials, especially if the app doesn’t need them. Another sign is the developer advertising features which the app lacks. A string of bad reviews with complaints that the app doesn’t work as advertised could be a key sign that something is wrong.
Also: How to secure your bank details and finances online
“I encourage people to check out App Store reviews, especially negative reviews, because you can see people explicitly yelling that the app was a scam, that their account may have been hacked, or that it was otherwise misleading, and its functionality or purpose,” Agranovich said.
If users suspect that they downloaded a malicious application that provided cybercriminals with their login information, it is recommended that they create a new, strong password that is not used across multiple websites.
It is also recommended that users apply multi-factor authentication (MFA) to their Facebook account to provide an additional barrier to unauthorized logins. Users should also enable login alerts for notifications that someone might be trying to access their account.
Facebook detailed a list of malicious apps for Android and iOS in its security warning about compromised accounts. The company also reported the findings to Google and Apple.
“All apps identified in the report are no longer available on Google Play. Users are also protected by Google Play Protect, which blocks these apps on Android,” a Google spokesperson told ZDNET. The apps have also been removed from Apple’s App Store.
LEARN MORE ABOUT CYBERSECURITY
#Facebook #users #downloaded #passwordstealing #Android #iOS #apps