Meta Platforms Inc. mentioned it might notify roughly 1 million Fb customers that their account credentials could have been compromised on account of safety points with apps downloaded from Apple Inc. and Alphabet Inc.’s software program shops.
The corporate introduced Friday that it recognized greater than 400 malicious Android and iOS apps this yr that focus on web customers with a view to steal their login data. Meta mentioned it knowledgeable each Apple and Google concerning the challenge with a view to facilitate removing of the apps.
The apps labored by disguising themselves as photograph editors, cell video games or well being trackers, Fb mentioned.
Apple mentioned 45 of the 400 problematic apps have been on its App Retailer and have been eliminated. Google eliminated all of the malicious apps in query, a spokesperson mentioned.
“Cybercriminals know the way fashionable all these apps are, they usually’ll use comparable themes to trick folks and steal their accounts and data,” mentioned David Agranovich, director of world risk disruption at Meta. “If an app is promising one thing too good to be true, like unreleased options for an additional platform or social media web site, likelihood is that it has ulterior motives.”
A typical rip-off would unfold, for instance, after a consumer downloaded one of many malicious apps. The app would require a Fb login to work past fundamental performance, thus tricking the consumer into offering their username and password. Customers might then, for instance, add an edited photograph to their Fb account. However within the course of, they unknowingly compromised their account by giving the writer of the app entry.
Meta mentioned it might be sharing suggestions with potential victims on how they will keep away from being “re-compromised” by studying the best way to higher spot problematic apps that pilfer credentials, whether or not for Fb or different accounts. The malicious exercise occurred off Meta techniques, Agranovich mentioned, including that not all 1 million folks essentially had their passwords compromised.