Fraudsters are stealing people’s social media account logins by developing trojan apps which are then put on app stores and downloaded by unwitting victims, according to Facebook’s parent company Meta.
The tech giant said its researchers had identified more than 400 “malicious” Android and iOS apps which were available on the official Apple and Google app stores.
The fraudulent apps were advertised as a wide array of applications, such as games, photo editors, and utilities such as a mobile flashlight.
Once downloaded, they prompted users to enter their Facebook credentials in order to log in and use the app.
If these credentials are entered, Meta says they are stolen, potentially allowing the fraudsters to access the user’s full account and all the associated private information.
“We’ve reported these malicious apps to our peers at Apple and Google and they have been taken down from both app stores prior to this report’s publication,” Meta said in a statement on its website.
Malware ‘disguised to look fun or useful’
In its post on Friday (October 7), Meta said its security researchers had “found more than 400 malicious Android and iOS apps this year that were designed to steal Facebook login information and compromise people’s accounts”.
The trojan apps were disguised as useful or popular tools. Some 42.6 per cent of them were presented as video editors, 15.4 per cent were classified as business utility, 14.1 per cent as phone utility, and the rest were games, VPNs, or lifestyle apps.
While Apple and Google have measures in place to identify and remove malicious apps on their respective stores, Meta said “some of these apps evade detection”.
These typically had fake reviews written for them by the developers, which served to trick users into thinking they were legitimate - but also to cover up previous reviews warning others that they were not as they seemed.
The developers make apps like these appear like they are providing the advertised service, but the goal is to get users to download them and then enter their Facebook username and password, Meta said.
“If the login information is stolen, attackers could potentially gain full access to a person’s account and do things like message their friends or access private information,” the company warned.
How to spot a malicious app
Meta listed some red flags to watch out for when downloading an app, to avoid giving sensitive information to fraudsters.
The company noted that many popular apps do allow users to log in with their Facebook credentials, which is what the criminals behind the malicious apps are targeting.
But Meta warned users to take note of the following:
- If the app is unusable without providing Facebook information
- If the app has a very low number of downloads, rating and reviews, and if there are negative reviews
- Whether the app provides the functionality it says it will, before or after logging in.
The company said it had contacted users whose credentials had potentially been compromised, and was advising them on how to ensure their accounts are secure.