Andrew Orr
Security researchers at Meta uncovered over 400 malicious apps from the App Store that stole credentials from Facebook users.
These apps, found on iOS and Android, posed as VPNs, photo editors, games, business apps, and other categories such as horoscope apps. However, the vast majority of the apps were found on the Google Play Store.
The company didn't reveal how many people were affected, but others say it could have been as many as one million Facebook users.
"Many of the apps provided little to no functionality before you logged in, and most provided no functionality even after a person agreed to login," said David Agranovich, Meta's Director of Threat Disruption.
The apps required people to log in with their Facebook account, which is a standard method to sign in with some apps and services. As a result, the apps were able to steal the login credentials.
Once an attacker compromises an account in this way, they can potentially access all private information on the person's Facebook profile. They could even message the person's Messenger contacts to send links to the malicious apps and compromise more accounts.
Meta has reported the malicious apps to Apple and Google, and they have been removed from each app store. Through its own app, Facebook is also alerting people who may have been compromised and helping them secure their accounts.
How to stay safe
Meta shared a few things to consider before logging into an app with a Facebook account.
- Is the app unusable without a Facebook login?
- Is the app reputable? Check the number of downloads it has, along with ratings and reviews.
- Does the app provide the functionality it says it will, before or after logging in?
Another way to stay safe is to simply not log in with Facebook. Sign in With Apple is more secure, although not every app will offer it.
Logging in with an old-fashioned email address, using a strong password generated with a password manager such as iCloud Keychain, would also be more secure — and private — than Facebook's method.
William Gallagher
Christine McKee
AppleInsider Staff
Chip Loder
Malcolm Owen
13 Comments
The last paragraph sum’s it up… but let’s go a step further!
”Logging in with an old-fashioned email address, using a strong password generated with a password manager such as iCloud Keychain, would also be more secure — and private — than Facebook's method.”… now let’s use a forwarding address that’s created specifically for this website/app. Meaning if I downloaded Crazier Birds (made up app) and it want me to sign in, I create a forwarding email, crazybirds1@ForwardingAddress.com and then generate a random password. Worse case, hacks get my login to Crazy Bird but nothing else, not my FB, Google, Apple, etc. the hackers literally cannot go anywhere with this, end of the line. They don’t harvest an emails and if they start spamming my forwarding address, I kill it and no harm done, they don’t get any original personal information.
I NEVER use log in with Facebook, Twitter, Google or any social. It’s either a trash email I keep for this purpose or Log in with Apple. The only problem I’ve found with log in with Apple is resetting passwords. They ask for the original email.
Working to prevent this is part of the reason for the 30% commission the App Store charges. Congress needs to get their hands and minds out of campaign donors pockets and quit trying to allow alternative app stores and freeloaders on the App Store.
What's Facebook?