Meta Uncovers 400 Malicious Android, iOS Apps Designed to Steal Logins

Meta has uncovered over 400 mobile apps designed to trick users into revealing their credentials, including two-factor authentication codes.

The company’s malware detection team discovered the malicious Android and iOS apps last year while investigating cyber threats facing Facebook. According to Meta, it’s difficult to estimate how many users may have downloaded the apps or subsequently revealed their credentials, but the company plans to alert suspected victims.

“So we’re being overly cautious here. We will notify one million users that they may have been exposed to one of these applications,” said David Agranovich, Meta’s director of threat disruption, in a briefing with journalists. He added that the apps targeted people indiscriminately.

The malicious apps disguised themselves as legitimate programs such as photo editors, VPNs, games or even flashlight apps. However, they would also require the user to sign up with an account for Facebook or another platform.


Example of some of the apps. (Image credit: Meta)

Also Read :  Mobile Money Global Market Report 2022: Featuring Vodafone, Google, Orange, Fidelity National Information Services & Paypal -

“A lot of the apps offered little to no functionality before you signed up,” Agranovich said. “Most offered no functionality even after you logged in.” But the login prompt could steal any username, password, and two-factor authentication code entered. Hackers could then use the stolen access to continue other scams.

The apps also managed to bypass the security measures of Google Play Store and Apple App Store to get listed. According to the Metas report, 42.6% of malicious apps posed as photo editors, while 11.7% pretended to be VPNs. Meanwhile, the affected apps on iOS focused on offering business utilities with names like “Business Manager Pages” and “Ad Optimization Meta”.

“Cyber ​​criminals know how popular these types of apps are, and they will use similar themes to trick people into stealing their accounts and information,” Agranovich added.

app failure

(Image credit: Meta)

Also Read :  Google fined $162 mln by India antitrust watchdog for abuse of Android platform

Meta has already reported its findings to Apple and Google.

Google tells PCMag, “All apps identified in the report are no longer available on Google Play. Users are also protected by Google Play Protect, which blocks these apps on Android.” The company adds that the majority of the malicious apps mentioned in Meta’s report were identified and removed from Google Play earlier this year.

Apple says all 45 malicious iOS apps have also been removed from the company’s app store. It adds that it has zero tolerance for cheating and malicious activity on the App Store.

Recommended by our editors

Meta’s report(Opens in a new window) has a full list of affected apps, the vast majority of which are Android apps.

To protect themselves, Meta encourages users to look at an app’s reviews before downloading it. Negative reviews in particular might mention whether the app is a scam or not. It’s also a good idea to avoid apps that require you to sign in with an official Facebook, Google, or Apple account to gain access to all features.

Also Read :  Chetwood partners with Mumsnet - ThePaypers

Agranovich added: “Does this prompt to log into Facebook make sense? If a flashlight application requires you to log into Facebook before it gives you a flashlight feature, that’s probably something to be suspicious of.”

To determine which users may have been threatened, Meta will look at factors such as evidence that their account may have been compromised or accessed in a certain way, Agranovich said.

Do you like what you read?

Sign up for security guard Newsletters for our top privacy and security stories, delivered straight to your inbox.

This newsletter may contain advertisements, offers or affiliate links. By subscribing to a newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe from the newsletter at any time.

Leave a Reply

Your email address will not be published.