AppleInsider may earn an affiliate commission on purchases made through links on our site.
Security researchers at Meta uncovered over 400 malicious apps from the App Store that stole credentials from Facebook users.
These apps, found on iOS and Android, posed as VPNs, photo editors, games, business apps, and other categories such as horoscope apps. However, the vast majority of the apps were found on the Google Play Store.
The company didn't reveal how many people were affected, but others say it could have been as many as one million Facebook users.
"Many of the apps provided little to no functionality before you logged in, and most provided no functionality even after a person agreed to login," said David Agranovich, Meta's Director of Threat Disruption.
The apps required people to log in with their Facebook account, which is a standard method to sign in with some apps and services. As a result, the apps were able to steal the login credentials.
Once an attacker compromises an account in this way, they can potentially access all private information on the person's Facebook profile. They could even message the person's Messenger contacts to send links to the malicious apps and compromise more accounts.
Meta has reported the malicious apps to Apple and Google, and they have been removed from each app store. Through its own app, Facebook is also alerting people who may have been compromised and helping them secure their accounts.
How to stay safe
Meta shared a few things to consider before logging into an app with a Facebook account.
- Is the app unusable without a Facebook login?
- Is the app reputable? Check the number of downloads it has, along with ratings and reviews.
- Does the app provide the functionality it says it will, before or after logging in?
Another way to stay safe is to simply not log in with Facebook. Sign in With Apple is more secure, although not every app will offer it.
Logging in with an old-fashioned email address, using a strong password generated with a password manager such as iCloud Keychain, would also be more secure — and private — than Facebook's method.