Meta has notified a million Facebook users that their usernames and passwords may have been compromised by malicious third-party apps downloaded from the Apple App Store and Google Play Store.
Meta's security researchers have identified more than 400 fraudulent apps designed to hijack Facebook users' account credentials in the past year. According to the company, many of the apps masqueraded as photo editors, while others were disguised as games, health trackers, flashlight enhancers, VPNs, and business applications, among other things.
If a user downloads any of these apps, they will be asked to login with their Facebook account before they could use the app. If they do so, however, their account details will be sent to the attackers. Most Facebook users are generally not very tech savvy and hence fall for these phishing scams pretty easily.
At this point, the app will not perform its advertised function. And because the threat actors now have access to the victim's account, they can steal sensitive information and will also gain access to other apps and services where the victim logged in using their Facebook account.
Meta’s Director of Threat Disruption, David Agranovich said that Meta has already shared its findings with Apple and Google. However, he notes that it's up to the two companies to ensure that the apps are taken down.
To prevent other users from falling victim to such threats, Meta has provided some telltale signs of malicious apps. For one, these apps normally ask for social media credentials, even if there's no reason for the app to do so. The developer might also advertise features that the app doesn't have. Finally, an app may be fraudulent if it has reviews saying that the app doesn't work as advertised.
If you think you've downloaded a malicious app and logged in with your Facebook credentials, delete the app and reset your password immediately. Also, enable two-factor authentication to strengthen your account's security. Finally, turn on login alerts so you'll be notified of any login attempts.
You can find a complete list of affected apps here.