Meta has made public an internal security report that has found apps designed to steal Facebook login information are rampant on both of the big two app stores. The company says that it has found over 400 malicious apps of this nature between Android and iOS, which manage to stay afloat with a combination of professional art and fake positive reviews to lend them an appearance of legitimacy.

There is one dead giveaway when dealing with apps designed to steal Facebook login information, however; all of them embed a Facebook button on their startup screens and require the victim to enter their credentials to use the app.

Cluster of malicious apps specifically targets Facebook credentials, has managed to evade app store security

The malicious apps appear to be flying below the radar of Google and Apple security by not taking an approach of installing malware or keyloggers; instead they simply ask for Facebook login information as a condition of starting up the app, and if the user provides it the threat actor steals it. It is not uncommon for mobile apps to have embedded Facebook functionality of some sort, but it is unusual for them to require the user to provide credentials before the app will start.

Meta says that it has reported its findings directly to Apple and Google and is reaching out to potentially impacted Facebook users, and that the apps were removed prior to the publication of the report.

There is no estimate of how many users may have had their login information compromised by these malicious apps. The apps do not appear to go after two-factor authentication (2FA), targeting users that log into Facebook with just a basic username and password. Of course, even if users have secured their accounts with 2FA there is nothing stopping the attackers from trying the credentials at various other services to see if they have been re-used.

The Facebook login information theft campaign appears to be well-organized, covering a broad range of different app categories. The most common of these malicious apps are basic photo editors, usually offering some gimmicky function such as turning the user’s pictures into cartoons or allowing them to layer clothes over selfies. Fake photo editors made up over 42% of all of the malicious apps that were located. Other major categories include business utilities (often promising access to functions and information insights that other similar free apps do not offer), phone utilities such as VoIP calling, video games and fake VPNs. There are a small handful of other app types such as horoscopes, personal psychology aids, media players and wallpaper collections.

The malicious apps also use several techniques to inspire trust. They use basic but professional-looking art, and appear to actively post fake positive reviews in an attempt to drown out the inevitable negative reviews when users realize that they do not offer all of the promised functions and features.

Meta notes that apps that ask for Facebook login information upon startup should be viewed with suspicion, and recommends that users enable 2FA on their account as an added layer of protection. It also advises carefully reading reviews for indications of malicious activity and promised features that are not actually included or do not actually work. The malicious apps in question apparently provided little of the promised functionality, at best.

Criminals increasingly interested in social media login information

Cyber criminals are showing a renewed interest in all of the major social media platforms, seeing account takeovers as a relatively easy and low-risk form of cyber crime. Conventional thinking has been that these accounts are worth little unless belonging to someone famous or with a large platform, but hackers are finding creative applications for large amounts of accounts.

There are lots of different applications for stealing social media login information, but one that seems to be growing in popularity recently is the use of them (and their contact lists) to fleece legitimate advertising programs. A recent scam on Facebook has seen attackers take over an account and then attempt to redirect the entirety of the person’s contact list to a URL that displays legitimate ads, which the criminals derive revenue from. Similar campaigns have flared up on the app stores since 2020, which involve criminals crafting malicious apps that hijack user devices for similar types of ad fraud.

Malicious apps appear to be flying below the radar of Google and Apple #security by not taking an approach of installing #malware or keyloggers; instead they simply ask for Facebook login information as a condition of starting up the app. #respectdataClick to Tweet

Cyber criminals also use stolen social media accounts to pass malware to trusting friends and followers, or to run cryptocurrency scams. There is also a trade in social media accounts that have usernames that contain common words or few characters, as these are often the oldest accounts on the platform and have a certain prestige value.