Meta warns 1 million Facebook users who installed password-stealing apps

Meta is warning 1 million Facebook users that their account information may have been compromised by third-party apps from Apple or Googles stores. In a new report, the companys security researchers say that in the last year theyve identified more than 400 scammy apps designed to hijack users Facebook account credentials.

According to the company, the apps are disguised as fun or useful services, like photo editors, camera apps, VPN services, horoscope apps, and fitness tracking tools. The apps often require users to Log In with Facebook before they can access the promised features. But these login features are merely a means of stealing Facebook users account info. And Metas Director of Threat Disruption, David Agranovich, noted that many of the apps Meta identified were barely functional.

Many of the apps provided little to no functionality before you logged in, and most provided no functionality even after a person agreed to login, Agranovich said during a briefing with reporters.

Meta

Of note, Meta found malicious apps in both Googles Play Store and Apples App Store, though the vast majority were Android apps. Interestingly, while the malicious Android apps were mostly consumer apps, like photo filters, the 47 iOS apps were almost exclusively what Meta calls business utility apps. These services, with names like Very Business Manager, Meta Business, FB Analytic and Ads Business Knowledge, seemed to be targeted specifically at people using Facebooks business tools.

Agranovich said that Meta shared its findings with both Apple and Google, but that it was ultimately up to the stores to ensure the apps are removed. In the meantime, Facebook is pushing warnings to 1 million people who may have used the apps. The notifications inform users their account info may have been compromised by an app it doesnt name which one and recommends resetting their passwords.