Facebook has announced that it has notified a million Facebook users that their usernames and passwords might have been stolen after downloading one of over 400 malicious Android and iOS smartphone apps.
The apps were discovered in the Google Play Store and Apple’s App Store over the course of the last year, posing as popular types of software.
According to Facebook, four in 10 of the apps posed as photo editors, while others posed as games, VPNs, health trackers, business applications, flashlight enhancers and other services to trick users into downloading them.
Users who downloaded the malicious apps were asked to log in with their Facebook account before they could use the features they were promised – and if the user entered their username and password, it handed their credentials to the attackers.
Many of the apps were useless and did not provide the functions they advertised – because once the user provided their credentials, the attackers had already got what they wanted.
With stolen login information, attackers can gain access to a person’s account, providing them with the ability to access private information, or send malicious phishing messages to the victim’s contacts. And if the victim also uses their Facebook account to log in to other applications and services, the attackers will also be able to access those – and potentially gain access to additional sensitive data.
As the downloads have been developed outside the Facebook ecosystem, the tech firm can’t be certain how many people have installed the malicious apps – but the company has notified around a million users that they may have been put at risk.
The notifications have two aims – one is to inform people they’ve downloaded a malicious app and tell them what steps they should take to secure their account if they’ve entered their login details. The second is to warn people who’ve potentially downloaded the apps and are yet to enter their account details that they shouldn’t do this.
If the attackers have access to a Facebook account, they also have the freedom to change the password and lock the victim out – and Facebook says that when this has happened, it’s worked to restore access to the user.
“We’re also taking steps in the course of our investigation to remediate accounts where we can that do appear to have been compromised and restore access for users who might have actually lost access to their account,” said Arganovich.
Facebook is also providing advice to users on how to spot a malicious app. The suggested tell-tale signs include apps asking for social media credentials – especially if there’s no need for the app to need this data. Another sign is the developer advertising features that the app doesn’t have. A string of poor reviews with complaints that the app doesn’t work as advertised could be a key sign that something isn’t right.
