Meta Lists 400 Credential-Stealing Mobile Apps That Compromised 1M Facebook Users | – Spiceworks News and Insights
According to Meta, these 400 iOS and Android apps are designed specifically to steal Facebook usernames and passwords.
Meta has identified and listed hundreds of iOS and Android apps that threaten the cyber hygiene of approximately one million users. The company explained that these apps are designed to hoodwink users by appearing utilitarian when in reality, they have one purpose: to steal Facebook usernames and passwords.
In a blog post, David Agranovich, Meta’s director of threat disruption and Ryan Victory, malware discovery and detection engineer, said that the company identified 400 mobile applications that seem to have utility on the surface but are malicious to their core.
Approximately one million users are feared to have been compromised through these illicit apps that appear to have “fun or useful functionality.” These apps include photo editors, internet speed-boosting VPN services, high-graphics games, flashlight apps, lifestyle apps such as fitness trackers, and business utilities such as Facebook ad manager.
By far, the largest chunk (42.6%) of phony apps was designed as photo editors that offer functionality including but not limited to cartoon rendering and editing. “This is a highly adversarial space and while our industry peers work to detect and remove malicious software, some of these apps evade detection and make it onto legitimate app stores,” Meta said.
Credential Stealing Apps on iOS and Android | Source: Meta
Simply downloading malicious apps is unlikely to result in credential theft. However, a lot of the 400 apps offer “little to no functionality before you logged in, and most provided no functionality even after a person agreed to log in,” Agranovich told the press.
If users log in to these apps with their Facebook credentials, their usernames and passwords are effectively compromised, thus opening them up to an additional barrage of cyberattacks such as account takeover, not just on Facebook.
See More: 1,859 Mobile Apps, Mostly iOS, Found Storing Hard-Coded Credentials for AWS Databases
Credential stuffing on multiple online platforms is also a significant concern, especially since recent strides in developing bots or programs that can perform automated and repetitive tasks rapidly at scale.
Credential stuffing can be rendered ineffective by using different passwords for different online services. However, that can lead to password overload or password fatigue in the information age. According to Okta’s Businesses at Work 2022 report, the average number of apps organizations deployed in 2021 was 89, increasing by 24% since 2016.
Individual users may use fewer online apps/services personally than enterprise users. However, a Ponemon Institute study pointed out that more IT security professionals (50%) reuse passwords than individuals (29%).
Even as multi-factor authentication (MFA) catches on and organizations try to make passwordless login a reality, Verizon’s 2022 Data Breach Investigations Report attributed 80% of data breaches to stolen credentials.
Agranovich and Victory highlighted a few red flags that users should be aware of when it comes to password hygiene. “Malware apps often have telltale signs that differentiate them from legitimate apps,” the duo wrote. These include:
47 of the 400 credential-stealing apps identified by Meta were on Apple’s iOS App Store, while Google’s Android Play Store had 355. Meta noted that these apps were also present in third-party app stores.
Both Google and Apple have removed the apps from their respective app stores though that doesn’t help users who have already downloaded any of the 400 apps and logged in using their Facebook credentials.
The prudent thing would be to uninstall the app (listed here) and promptly change the password on Facebook and any other online app/service/platform where a similar password was used. Users should also turn on log-in alerts, and leverage 2FA using an Authenticator app since cellular-based 2FA using one-time passwords can be hijacked in SIM-swapping attacks.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock
Asst. Editor, Spiceworks Ziff Davis
On June 22, Toolbox will become Spiceworks News & Insights