These malware-laden apps include photo editors, VPNs (Virtual Private Networks), games, lifestyle, business utility, phone utility apps, and more. Meta said it has reached out to Google and Apple, who have removed the deceptive apps from their respective stores. The company also said it is reaching out to people whose accounts may have been compromised by these apps. “Most importantly, because these apps were accessible in third-party app stores, we’re encouraging people to be cautious when downloading a new app that asks for social media credentials,” Meta said.
400 Malicious Android and iOS Apps
Meta explained that the developers of these malicious apps lure users by offering a “fun or useful functionality.” Over 42 percent of these apps were photo editors. The malicious apps Meta listed in its report include Bamboo VPN, Candles VPN, Dress up Charming, Teana Music Player, Apex Race Game, and Cartoon Face Photo Editor, among others. To hide negative reviews and convince users that they’re legitimate, the developers of these malicious apps may publish fake reviews, Meta said. When users install these apps, the credential-harvesting scheme comes into effect. Users are required to log into their Facebook accounts before they can use the app. Many users may have unwittingly fallen for this, allowing the developers to swipe their login credentials. “If the login information is stolen, attackers could potentially gain full access to a person’s account and do things like message their friends or access private information,” Meta said. Although Apple’s App Store is thought to have fewer malicious apps, Meta found several malicious apps designed for iOS devices. A complete list of the malicious apps can be found here. “This is a highly adversarial space and while our industry peers work to detect and remove malicious software, some of these apps evade detection and make it onto legitimate stores,” Meta said.
Meta’s Recommendations
Meta advised users to be suspicious of apps that require users to log in to their Facebook account before they can access its features. These apps may come with a button that says “Login with Facebook.” The company also advised users to investigate apps before downloading any app. “Look at its download count, ratings and reviews, including negative ones,” Meta said. If you suspect that you may have installed a malicious app, Meta recommends deleting the app immediately. Also, reset your Facebook login and create a longer, more secure password. Also, enable two-factor authentication and “log-in alerts” so you’re notified to review and authorize every login attempt. You can also report any malicious activities through Meta’s Data Abuse Bounty program. Despite the best efforts of Google and Apple, malicious apps often end up in their stores. Threat actors go to great lengths to get their apps on these platforms, as they know this increases their chances of snaring unsuspecting victims. Earlier this year, researchers discovered that 470 malicious apps had spread cash-stealing malware to over 100 million Android devices. Interested in learning how to stay safe on Facebook? Check out our article on the top Facebook scams of 2022. If you suspect malicious actors may have accessed your Facebook account, our guide to identity theft contains some recommendations that can help to mitigate the consequences of such a breach.
