Meta has warned at least 1 million Facebook users about more than 400 malicious Android and iOS apps targeting them to steal their login information and compromise their accounts.
According to the company, it reported its findings to Apple and Google and is helping potentially impacted people to learn more about how to stay safe and secure their accounts.
“These apps were listed on the Google Play Store and Apple’s App Store and disguised as photo editors, games, VPN services, business apps, and other utilities to trick people into downloading them,” said David Agranovich, Director, of Threat Disruption at Meta.
Meta said Apple and Google have taken down those 400 malicious apps from their respective online stores.
“We are also alerting people who may have unknowingly self-compromised their accounts by downloading these apps and sharing their credentials, and are helping them to secure their accounts,” the company said in a blog post late on Friday.
Malicious developers create malware apps disguised as apps with fun or useful functionality — like cartoon image editors or music players — and publish them on mobile app stores.
“To cover up negative reviews by people who have spotted the defunct or malicious nature of the apps, developers may publish fake reviews to trick others into downloading the malware,” said Meta.
If the login information is stolen, attackers could potentially gain full access to a person’s account and do things like message their friends or access private information.
Meta said that if you believe you’ve downloaded a malicious app and have logged in with your social media or other online credentials, “we recommend that you delete the app from your device immediately”.