Facebook Says These 400 Apps Might Have Stolen User Logins

A million Facebook users might have provided their usernames and passwords to harmful apps designed to help scammers take over their accounts, Facebook parent company Meta said Friday.

The social media giant said it found more than 400 malicious apps available on Apple and Android devices. These apps pretended to offer mobile games, photo editing, fitness tracking or even to brighten a phone's flashlight. Facebook users who might have logged in to the social network on a malicious app will receive a security notice that includes steps they can take to protect their accounts. Some of those steps include resetting their Facebook password, adding an extra layer of security known as two-factor authentication, and turning on alerts so users know when someone has tried to sign in to their Facebook account. 

Meta's findings underscore the risks that could come with providing your Facebook account information to log in to apps. David Agranovich, Meta's director of threat disruption, said there are benefits to logging in to apps through Facebook or other account providers. It reduces the need for people to create multiple accounts where a username or password may be reused on other sites. Logging in to an app through another account also creates an extra layer of authentication, he said.

In this case, scammers were trying to dupe people into downloading an app with malicious software that steals their Facebook username and password. The apps prompted people to log in to their Facebook accounts. While there are legitimate apps that ask for Facebook login information, there are also harmful ones that evade detection and make it onto app stores. 

"The reality is a lot of these scams don't start and end on one platform," Agranovich said in a press call. "To avoid detection, threat actors will often carry their activity across different sites, which makes cross-industry collaboration like this all the more critical."

Agranovich said it's tough for Meta to tell if a user has provided their Facebook login information to a malicious app or merely downloaded the app but never logged in to it. Meta looks at various signals, he said, to determine if a Facebook user's account may have been compromised and whether an attacker broke in to their account in a particular way. 

Google and Apple spokespeople said all the malicious apps Meta identified in the report have been removed. More than 350 of the malicious apps were available on Android devices. The search giant has a service called Google Play Protect that checks Android devices for potentially harmful apps.

Once attackers steal people's Facebook username and password, they can use that information to take over accounts and get more personal information about victims. They can also use compromised accounts to message victims' friends to scam them out of money or purchase ads to dupe others.

Protecting your Facebook account

Meta provided a list of the more than 400 malicious apps on a blog post so users can check to see if they've downloaded any of them. Some of the apps have names such as Beauty Camera, Kangaroo VPN, Magic Horoscope and QR Barcode Scanner. 

About 43% of the malicious apps were for photo editing. 

Meta outlined some red flags users should look out for before logging in to an app with their Facebook account.

Some of these signs include requiring social media login information to use the app. 

"For example, be suspicious of a photo-editing app that needs your Facebook login and password before allowing you to use it or an app that asks you to log in with Facebook to remove ads," Meta said in its report.

People can also look at whether an app has negative reviews. But attackers can also publish fake ones, so that strategy doesn't always work. Some of the apps promised to provide features after logging in with your Facebook account, but once people did, the app was useless. 

Facebook users can also report malicious apps to the company online.