WHAT YOU NEED TO KNOW:
- Meta identified over 400 malware, disguised as Android and iOS apps, that steal Facebook usernames and passwords.
- Around 1 million Facebook users may have been compromised.
- Meta advised users to be wary of such apps and to add extra security such as two-factor authentication to their account.
Meta announced that they discovered over 400 fake apps designed to steal Facebook users’ account information by requiring them to log in. According to multiple news reports, one million Facebook accounts may have been compromised.
Meta’s update on Friday stated that the apps were disguised as games, photo editors, or other features like flashlight. The apps would then ask users to log in via Facebook so they can steal their login names and passwords.
Facebook explained, “There are many legitimate apps that offer the features listed above or that may ask you to sign in with Facebook in a safe and secure way. Cybercriminals know how popular these types of apps are and use these themes to trick people and steal their accounts and information.”
Developers of such malware can even post fake positive reviews to cover up the negative ones posted by people who realized that the app was fake.
Facebook recommends looking closely at all reviews and the number of downloads when checking an app. It also advised users to “be suspicious” of apps that require users to sign in to Facebook before being allowed to use it.
Facebook assured users that they are helping secure compromised accounts. The apps were also pulled from Google and Apple stores.
Facebook provided a list of all the compromising apps. The company advised users who may have installed these apps to immediately remove them and reset their account login information.
The social media company also advised users to “to add an extra security layer to your account” by enabling the two-factor authentication and allowing log-in notifications so they can be alerted if someone tries to sign in to their account.
Individuals with compromised accounts can file a report through the Data Abuse Bounty program.