Meta has uncovered over 400 mobile apps that’ve been designed to trick users into giving up their login information, including two-factor authentication codes.
The company’s malware-detection team discovered the malicious Android and iOS apps this past year while investigating cyber threats facing Facebook. Meta says it’s hard to estimate how many users may have downloaded the apps or given up their login credentials as a result, but the company plans on alerting suspected victims.
“So we’re being overcautious here. We will notify one million users that they may have been exposed to one of these applications,” David Agranovich, director of threat disruption at Meta, said in a briefing with journalists. He added that the apps targeted people indiscriminately.
The malicious apps masqueraded as legitimate programs such as photo editors, VPNs, games, or even flashlight apps. However, they would also demand the user sign in with an account for Facebook or another platform.
“Many of the apps provided little to no functionality before you logged in,” Agranovich said. “Most provided no functionality even after you logged in." But the login prompt could steal whatever username, password, and two-factor authentication code that was entered. Hackers could then use the stolen access to perpetuate other scams.
The apps also managed to bypass Google Play Store and Apple App Store safeguards to get listed. According to Meta’s report, 42.6% percent of the malicious apps posed as photo editors, while 11.7% pretended to be VPNs. Meanwhile, the affected apps on iOS focused on offering business utilities with names such as "Business Manager Pages" and "Ad Optimization Meta."
“Cybercriminals know how popular these types of apps are, and
Read more on pcmag.com