Meta warns 1 million Facebook users who installed password-stealing apps

The apps were disguised as "fun or useful" services and were in Google and Apple's stores.

SOPA Images via Getty Images

Meta is warning 1 million Facebook users that their account information may have been compromised by third-party apps from Apple or Google’s stores. In a new report, the company’s security researchers say that in the last year they’ve identified more than 400 scammy apps designed to hijack users’ Facebook account credentials.

According to the company, the apps are disguised as “fun or useful” services, like photo editors, camera apps, VPN services, horoscope apps, and fitness tracking tools. The apps often require users to “Log In with Facebook” before they can access the promised features. But these login features are merely a means of stealing Facebook users’ account info. And Meta’s Director of Threat Disruption, David Agranovich, noted that many of the apps Meta identified were barely functional.

“Many of the apps provided little to no functionality before you logged in, and most provided no functionality even after a person agreed to login,” Agranovich said during a briefing with reporters.

Meta warns users about scam apps.

Of note, Meta found malicious apps in both Google’s Play Store and Apple’s App Store, though the vast majority were Android apps. Interestingly, while the malicious Android apps were mostly consumer apps, like photo filters, the 47 iOS apps were almost exclusively what Meta calls “business utility” apps. These services, with names like “Very Business Manager,” “Meta Business,” “FB Analytic” and “Ads Business Knowledge,” seemed to be targeted specifically at people using Facebook’s business tools.

Agranovich said that Meta shared its findings with both Apple and Google, but that it was ultimately up to the stores to ensure the apps are removed. In the meantime, Facebook is pushing warnings to 1 million people who may have used the apps. The notifications inform users their account info may have been compromised by an app — it doesn’t name which one — and recommends resetting their passwords.

Update 12:20 PM ET: Apple and Google both confirmed that all of the apps identified by Meta had been removed from their respective app stores. "All of the apps identified in the report are no longer available on Google Play," A Google spokesperson said in a statement. "Users are also protected by Google Play Protect, which blocks these apps on Android.”