Meta Lists 400 Credential-Stealing Mobile Apps That Compromised 1M Facebook Users

Meta has identified and listed hundreds of iOS and Android apps that threaten the cyber hygiene of approximately one million users. The company explained that these apps are designed to deceive users by appearing useful when in reality their only purpose is to steal Facebook usernames and passwords.

In a blog post, David Agranovich, Meta’s director of threat disruption, and Ryan Victory, malware discovery and detection engineer, said the company had identified 400 mobile applications that appear useful on the surface but are malicious at heart.

It is feared that around a million users have been compromised by these illegal apps that appear to have “funny or useful features”. These apps include photo editorInternet speed boosting VPN services, high graphics performance games, flashlight apps, lifestyle apps like fitness trackers, and business utilities like Facebook ads manager.

The vast majority (42.6%) of fake apps are designed as image editors that offer, but are not limited to, features such as cartoon rendering and editing. “This is an extremely controversial space, and while our industry peers work to detect and remove malicious software, some of these apps evade detection and make it into legitimate app stores,” Meta said.

Credential stealing APPs from iOS and Android

Credential stealing apps on iOS and Android | Source: Meta

Simply downloading malicious apps is unlikely to lead to credential theft. However, many of the 400 apps offer “little to no functionality until you sign up, and most don’t offer functionality even after a person has opted in,” Agranovich told press.

When users log into these apps with their Facebook credentials, their usernames and passwords are effectively compromised, leaving them open to an additional barrage of cyberattacks such as hacking account takeovernot only on Facebook.

See more: Found 1,859 mobile apps, mostly iOS, that store hard-coded credentials for AWS databases

Credential stuffing across multiple online platforms is also a major concern, especially since recent advances in the development of bots or programs that can perform automated and repetitive tasks quickly and at scale.

Credential stuffing can be defeated by using different passwords for different online services. However, this can lead to password overload or password fatigue in the information age. According to Oktas Enterprises at Work 2022 report.the average number of apps organizations deployed in 2021 was 89, a 24% increase since 2016.

Individual users may use fewer online apps/services personally than corporate users. However, a study by the Ponemon Institute pointed out that more IT security professionals (50%) reuse passwords than individuals (29%).

Even though multi-factor authentication (MFA) is catching on and companies are trying to make it happen passwordless Registration reality, Verizon 2022 Data Breach Investigation Report 80% of data breaches traced to stolen credentials.

Agranovich and Victory highlighted some red flags that users should be aware of when it comes to password hygiene. “Malware apps often have telltale signs that distinguish them from legitimate apps,” the duo wrote. These include:

  • Requires social media credentials for the app to work
  • reputation of the app; Pay attention to the number of downloads, ratings and reviews of the app
  • Verify that the app is functional after using the credentials

Of the 400 credential-stealing apps identified by Meta, 47 were in Apple’s iOS App Store, while Google’s Android Play Store had 355. Meta noted that these apps also existed in third-party app stores.

Both Google and Apple have removed the apps from their respective app stores, but that doesn’t help users who have already downloaded one of the 400 apps and signed in with their Facebook credentials.

The wisest thing would be to uninstall the app (listed here) and change the password immediately on Facebook and any other online apps/services/platforms where a similar password was used. Users should also enable login alerts and leverage 2FA with an authenticator app, as cellular-based 2FA with one-time passwords can be exploited in SIM swapping attacks.

Let us know if you enjoyed reading this news LinkedIn, Twitteror Facebook. We’d love to hear from you!