Meta warned on Friday that a million Facebook users downloaded or used apparently innocuous mobile applications, but designed to steal their password to access the social network.
“We’re going to tell a million people who may have been exposed to these apps – which doesn’t necessarily mean they were hacked,” said David Agranovich, a director of Meta’s cybersecurity teams, during a press conference.
Since the beginning of 2022, Meta, the parent company of Facebook and Instagram, has identified more than 400 “malicious” applications, available for smartphones operated with iOS (Apple) and Android (Google).
“These applications were present in the Google Play Store and the Apple App Store and were posing as photo editing tools, games, VPNs and other services,” Meta said in a statement.
Once downloaded and installed on the phone, these apps asked users for their Facebook credentials in order to use some features.
“They tried to encourage people to give their confidential information to allow hackers to access their accounts,” summarized Agranovich, who estimates that the developers of these applications were probably looking to recover other passwords, not just those of Facebook.
“The targeting seemed to be relatively indiscriminate,” he noted. It was about “getting as many as possible” passwords.
Meta stated that it has shared its findings with Apple and Google.
Apple did not respond to an AFP request for comment, but Google said it had removed most of the apps flagged by Meta from its Play Store.
“None of the apps identified in the report are still available on Google Play,” a Google spokesperson wrote to AFP.
More than 40% of the applications indicated were used to edit images. Others were simple tools, to turn your cell phone into a flashlight, for example.
Agranovich advised users to be careful when an app asks for passwords without a valid reason or makes promises “too good to be true.”
