Facebook Alerts 1 Million Users whose Login Information was taken by Fraudulent Mobile Apps

According to the firm, the apps have been withdrawn from Apple and Google's app stores, but they shouldn't have been there to begin with.

Facebook users are being alerted by Meta about hundreds of apps on the Apple and Google app stores that were created with the sole purpose of stealing login information for the social network app. Over 400 malicious apps posing as games, photo editors, and other utilities, the business claims, have been found, and it is alerting customers who "may have unintentionally self-compromised their accounts by downloading these apps and giving their credentials." Bloomberg estimates that one million people could have been impacted.

According to Meta's post, the apps deceived users into downloading them with false testimonials and claims of practical usefulness (both common tactics for other scam apps that are trying to take your money rather than your login info). However, some of the apps required users to check in with Facebook before they could accomplish anything, and if they did, the developers could steal their login information.

Although Meta claims to have reported the apps to Google and Apple and had them removed, the fact that they had ever managed to appear on the stores is still not ideal. This is especially true for Apple, which has long campaigned against side loading programs for the iPhone, claiming that doing so is "a cyber criminal's best friend." It claims that its "trusted ecosystem for millions of apps" has been made possible by its App Review process, which theoretically evaluates programs before they are made available on the App Store. Despite this, the business has had trouble controlling the use of scam apps on its platform; some of these have reportedly made millions of dollars.

Of the 402 harmful apps on Facebook's list, 355 were for Android and 47 were for iOS, so it's safe to say that the problem is substantially worse on the Play Store. Interestingly, while the Android versions included apps for games, VPNs, picture editors, and horoscopes, all of the iPhone versions were with maintaining company sites or advertisements. (This doesn't mean they weren't at least a little suspicious; it's difficult to fathom how "Very Business Manager" managed to get through Apple's App Review procedure.)

Google and Apple did not answer The Verge's request for comment right away.

In regards to apps that try to steal your login information, Meta's post outlines some good warning signs to look out for — if the app doesn't do what it says it does, locks all functionality behind a login, or has a ton of (possibly buried) negative reviews, it's probably best to pass and find another, more reliable app.

Back to blog