Facebook says up to 1 million people’s logins and passwords may have been stolen and abused by beauty apps, photo editors, games and other “rogue” apps across the top two app stores.
The social media giant has named 400 apps including beauty filters, utilities like torch apps, VPNs and business management apps on Android’s Play Store and Apple’s App Store.
The company says the rogue apps could give attackers “full access to a person’s account,” allowing them to initiate cash-based fraud. The stolen credentials could also be used to access other services that use Facebook logins for access.
The company says it has removed the rogue apps and is contacting affected individuals.
“This year we have identified more than 400 malicious Android and iOS apps targeting people on the internet to steal their Facebook credentials,” said David Agranovich, director of threat disruption at Facebook.
“We’ve reported our findings to Apple and Google, and are helping potentially affected people learn more about staying safe and protecting their accounts.”
“If a person installs the malicious app, they may be asked to log in to Facebook before they can use the promised features,” he said.
“If they enter their credentials, the malware steals their username and password.”
Some of the rogue apps claim you can “turn into a cartoon”. Other names like “Cool Filter Editor” and “Beauty Camera Plus” promise filters and effects.
Facebook says its list includes rogue VPN apps like Fast VPN Proxy that claim to “increase browsing speeds or grant access to blocked content or websites”.
And the list (which Facebook posted here) includes phone utilities like flashlight or flashlight apps that claim to brighten up your phone’s flashlight function.
It also includes health and lifestyle apps like horoscopes and fitness trackers, while business or ad management apps that claim to provide hidden or unauthorized features not found in official apps are also named.
Facebook has urged people to watch for telltale signs of an app’s scam intent.
“Is the app unusable if you don’t provide your Facebook information? For example, be suspicious of a photo editing app that requires your Facebook login and password before you can use it.”
It’s also a good idea to check if the app is legitimate. “See the number of downloads, ratings and reviews, including negative ones.”
Also, general advice for people wanting to stay safe includes changing passwords regularly and turning on two-factor authentication, which requires anyone who wants to log into an account to use a one-time code attached to a other email address or SMS number is sent.
“Turn on login notifications so you’re notified when someone tries to access your account,” the company adds. “Be sure to review your previous sessions to ensure you recognize which devices have access to your account.”
https://www.independent.ie/business/technology/facebook-says-up-to-1m-people-hacked-by-rogue-iphone-and-android-apps-42052383.html Facebook says up to 1 million people have been hacked by rogue iPhone and Android apps