Hundreds of seemingly innocent smartphone apps were singled out by security pros as being double agents of sorts, posing as something entertaining or useful but really set on pilfering Facebook login credentials.
The shady apps downloaded from the iPhone App Store and Android Google Play Store — photo editors, fitness trackers, VPNs and the like — often require users to “Log In with Facebook” and typically under-deliver promised results with the goal being to steal login and passwords, according to a blog post by Meta, Facebook’s parent company, on Friday (Oct. 7).
“Malware apps on third-party app stores are disguised to look fun or useful,” according to the post by David Agranovich, Director, Meta Threat Disruption, and Ryan Victory, Malware Discovery and Detection Engineer.
See also: Best Line of Payments Fraud Defense: A Harder Target
The apps are often cloaked like appealing no-charge cartoon image editors, music players, and other apps, usually with positive fake reviews, and published like any other application on mobile app stores, per the post. The Meta team said they reported their findings to Apple and Google and will continue to post updates.
“We’ve shared our findings with industry peers, security researchers and policymakers to help us improve our collective defenses against this threat. Most importantly, because these apps were accessible in third-party app stores, we’re encouraging people to be cautious when downloading a new app that asks for social media credentials and providing practical steps to help people stay safe,” according to the post.
Related: Companies Lean on Biometrics, Machine Learning to Stay ‘One Step Ahead’ of Fraudsters
Of the 400 apps Meta reported, 45 were iOS apps, most being utility related. There were no indications that a particular geographic region or subset of people was being targeted by the malicious apps, per reports. The discovered apps targeted only Facebook, not Instagram or WhatsApp.