Today, we’re sharing an update on our work against malicious mobile apps available in the official Apple and Google app stores that are designed to compromise people’s Facebook accounts. We’ve shared our findings with industry peers, security researchers and policymakers to help us improve our collective defenses against this threat. Most importantly, because these apps were accessible in third-party app stores, we’re encouraging people to be cautious when downloading a new app that asks for social media credentials and providing practical steps to help people stay safe.
Our security researchers have found more than 400 malicious Android and iOS apps this year that were designed to steal Facebook login information and compromise people’s accounts. These apps were listed on the Google Play Store and Apple’s App Store and disguised as photo editors, games, VPN services, business apps and other utilities to trick people into downloading them. Some examples include:
This is a highly adversarial space and while our industry peers work to detect and remove malicious software, some of these apps evade detection and make it onto legitimate app stores. We’ve reported these malicious apps to our peers at Apple and Google and they have been taken down from both app stores prior to this report’s publication. We are also alerting people who may have unknowingly self-compromised their accounts by downloading these apps and sharing their credentials, and are helping them to secure their accounts.
Malicious developers create malware apps disguised as apps with fun or useful functionality — like cartoon image editors or music players — and publish them on mobile app stores.
To cover up negative reviews by people who have spotted the defunct or malicious nature of the apps, developers may publish fake reviews to trick others into downloading the malware.
When a person installs the malicious app, it may ask them to “Login With Facebook” before they are able to use its promised features. If they enter their credentials, the malware steals their username and password.
If the login information is stolen, attackers could potentially gain full access to a person’s account and do things like message their friends or access private information.
There are many legitimate apps that offer the features listed above or that may ask you to sign in with Facebook in a safe and secure way. Cybercriminals know how popular these types of apps are and use these themes to trick people and steal their accounts and information.
Malware apps often have telltale signs that differentiate them from legitimate apps. Here are a few things to consider before logging into a mobile app with your Facebook account:
Here are a few examples of malware apps we found to provide no functionality until you log in with your social media account.
If you believe you’ve downloaded a malicious app and have logged in with your social media or other online credentials, we recommend that you delete the app from your device immediately and follow the following instructions to secure your accounts:
We also encourage people to report malicious applications that compromise Meta accounts to us through our Data Abuse Bounty program.
Threat indicators are also available in CSV, TSV, and JSON formats at https://github.com/facebook/malware-detection
© 2022 Meta