Facebook has identified over 400 malware apps that appear to have stolen more than a million usernames and passwords. To counteract the attacks, the company has now shared its findings with Google and Apple.
Apparently, over 400 apps secretly stole the data from around a million Facebook users. The company announced this in an official blog post. The knowledge, meanwhile, comes from the crackdown on malicious mobile apps.
The applications are therefore available in the Apple and Google app stores and aim to compromise users’ Facebook accounts.
Malware apps disguised as useful applications
The malware was designed by third parties to appear funny or useful. This is how the developers smuggled the apps into the official stores.
For example, they drank them as mobile games, photo editing programs, fitness trackers, VPN services or even as flashlight brighteners. In order to use the applications, the users should in turn register with their social media access.
Mainly because there are also legitimate apps that ask for such registrations, numerous users apparently fell for it. The developers also faked customer ratings to cover up negative reviews.
One million Facebook users affected by malicious apps
If the hackers succeed in persuading users to register, they can potentially gain full access to the person’s account. They can then also send messages to their friends and access private information.
According to various media reports, around one million Facebook users have transmitted their usernames and passwords to malicious apps in this way.
Facebook is meanwhile sending affected users a security notice and explaining how they can protect themselves from unwanted account attacks.
How users recognize malware apps
- If an app requires a user’s login information to function, it is probably not authentic.
- Users should check the reputation of the app in question before downloading it. Download numbers, ratings and reviews can indicate the legitimacy of the application. (Negative comments are a good sign that the comments are not fake.)
- Users should check whether the app really delivers what it promises, both with and without a login.
Users who fear they have logged into a malware app should first delete the application from their device. At the same time, they should reset their Facebook password and choose a new, stronger login.
If possible, users should also use two-factor authentication for an additional security measure.
In addition, users should turn on login notifications. Thus, they receive an immediate notification if an unauthorized person tries to use the Facebook account.
Facebook alerts Google and Apple to malicious apps
Facebook has already contacted Apple and Google to have the malicious apps removed from the stores.
We’ve shared our findings with industry peers, security researchers, and policymakers to improve our collective defenses against this threat.
The social media platform has also published a list of all malicious applications. There, users will also find hints that they can use to identify malicious applications. The company also asks its users to report malicious apps online.
The malware apps have already been deleted, according to spokesmen for Google and Apple.