Over 400 malicious apps that were targeting Facebook login information have been identified by Meta and are now off of the major app stores, according to a security report published by the company. The apps appear to have been part of a large coordinated campaign, using similar templates designed to fool users and bolstering their appeal with fake positive reviews.
The malicious apps covered a variety of categories and functions, but all had one similarity: asking the user for Facebook login information at the startup screen, which was then skimmed by the attacker and used to take over the account.
Login information used for Facebook account takeovers
Meta did not make clear exactly who the attackers were or what their plans were for the stolen login information, but social media account takeovers have been spiking as of late. They are a relatively easy and low-risk branch of cyber crime, but have been monetized in increasingly creative ways as of late (such as driving traffic to legitimate ad campaigns or being used to sucker contacts into crypto schemes).
Meta believes that about one million Facebook users may have been targeted by these malicious apps, and has privately contacted users that may have had their login information compromised.
Malicious apps appear to be coordinated by a single threat actor
The malicious apps appeared to evade Apple and Google security by not including malware or threat elements that could be recognized by signatures. It isn’t uncommon for apps to integrate Facebook login information for some sort of function, like being able to post information from the app directly to a wall, but there are almost no legitimate apps that require users to log into Facebook just to start it up and use its fundamental features.
The malicious apps are now gone from the Apple and Google app stores, quietly removed prior to Meta’s report going public. While it is possible that a million Facebook users were impacted, those that had two-factor authentication enabled would have been protected (but should still change passwords out of an abundance of caution, and ensure that password is not re-used with any other services).
About 2,500 users being compromised for each malicious app seems plausible given that the threat actor put some effort into making them look legitimate, and often promising functions that are not often found in free apps. Once inside the app the user would quickly find that few of the promised functions were actually available, but they would have already entered their Facebook login information at that point. The attacker also spread the app types around different store categories, offering everything from fake photo editors to fake virtual private networks (VPNs). The inevitable negative reviews from users that were duped were counteracted with waves of fake positive reviews to keep the scheme going.
Meta does not advise that users that have not been contacted take any particular action, but does recommend enabling 2FA as a general protective buffer against scams such as these.