As many as 1 million Facebook users were targeted with Android and iPhone malware apps that tried to steal their passwords, according to a report released by Meta on Thursday.
The malware, detected across the last year, masqueraded as various kinds of app, including fake photo editors, virtual private networks that claimed to boost browsing speeds and get access to blocked websites, mobile games, and health and lifestyle trackers. Some promised to turn the user’s face into a cartoon, while others provided horoscopes. Some of the apps made it through Apple and Google security and onto the tech giants’ official app stores, though Meta didn’t specify which ones.
The modus operandi of the malware was simple phishing, said David Agranovich, Meta’s director of threat disruption, during a press briefing on Meta’s report. Most of the apps asked for a Facebook login to use the app, which is typical of many apps. But in the background, the usernames and passwords, along with any two-factor authentication codes, were being sent to the app developers, who were looking for illegal access to Facebook accounts and nothing more, Agranovich said. “Our sense here is that this wasn’t kind of a specific geographically targeted thing. This was more an attempt to just get access to as many login credentials as possible,” Agranovich added.
Agranovich suggested that users should be wary of apps that require you to log in to Facebook to gain any functionality. “If a flashlight application is requiring you to login with Facebook before it gives you any flashlight functionality, there’s probably something to be suspicious of,” he said. He said reviews that repeatedly called out an app as a scam also provided a clue as to the legitimacy of the app.
He said that Meta would be warning 1 million users if they had been exposed to the apps in some way, though the company couldn’t definitively say whether or not all those users…