Both Apple and Google have struggled for years to keep malicious apps out of their official mobile app stores and away from users' phones. Simple programs like flashlight apps, photo editing tools, and games can mask efforts to grab user data, authorize rogue charges, or steal login credentials to a legitimate service. Today, Meta said it has found and reported more than 400 apps this year in official app stores that were set up to steal victims' Facebook credentials.
Meta will notify 1 million users that they may have been exposed to one of the rogue applications. That doesn't mean all those users had their Facebook accounts compromised, but Meta researchers say they are being cautious and casting a wide net because they have limited visibility beyond their own platform to know exactly what went on with each user. Of the 400 programs Meta flagged and reported, 45 were iOS apps. The company says that the activity didn’t appear to be targeted toward a particular geographic region or subset of people.
“It's a highly adversarial space, and some of these apps manage to evade detection,” says David Agranovich, Meta's director of threat disruption. “Flashlight apps, photo editors, mobile games. There are many legitimate applications on the Apple and Google stores, but cybercriminals know how popular these types of apps are and use that to their advantage. We want to deter threat actors and keep people safe.”
Agranovich says that this group of 400 apps from 2022 targeted only Facebook, not Instagram and WhatsApp, the company's other popular platforms. But the company has tracked threats from similar credential-stealing apps that are focused on those services.
Google Play and Apple's App Store each have their own vetting systems, but some malicious apps still slip by. Credential theft is a classic focus of developers of these rogue apps, and attackers often craft their ploys to take over high-value accounts like Facebook profiles that both contain a lot of data themselves and are also used as single sign-on platforms to log in to other services. Nearly 47 percent of the apps Meta flagged masqueraded as photo editing services. About 15 percent claimed to be business utilities. And nearly 12 percent pretended to be VPNs, while “phone utilities,” games, and lifestyle made up the remaining categories.
Google says that the Android apps Meta identified have all been taken down from Google Play and that the company had independently caught and removed many of them throughout the year before Meta's disclosures.
Apple said that it doesn't tolerate fraudulent or malicious apps in the App Store and that the 45 iOS apps Meta researchers flagged have already been removed.
Both companies have struggled to police their official app stores, and each faces its own version of the same challenges. For Google, Android's open ecosystem means that users can download apps from third-party app stores beyond Google's control. This makes it even more problematic when malicious apps show up in Play, but it also gives users leeway to source apps where they want to (ideally, if they know they can trust a particular developer). The closed iOS ecosystem has far fewer threats from rogue apps outside the App Store, but as a result all users must get their apps from Apple, making it even more valuable for attackers to sneak their malicious apps in.
“Apple is usually quick to respond once scam apps are reported, but potentially unwanted programs are absolutely a big problem on iOS, and nobody other than Apple has the ability to do anything about it,” says Thomas Reed, director of Mac and mobile platforms at the antivirus maker Malwarebytes.
The apps Meta flagged steal credentials by prompting unsuspecting victims to log into Facebook. Instead of using a secure deployment of the single-sign-on service Sign in With Facebook, though, the apps would simply present Facebook’s browser login flow while capturing whatever credentials users entered, including usernames, passwords, and two-factor authentication codes. In the majority of cases, Meta says, the apps immediately prompted users to log in and didn’t offer any functionality, like a game or flashlight tool, before or after the user completed the login.
Meta researchers say that while Facebook accounts are far from the only ones targeted in this way, they wanted to publish findings on the issue to raise awareness about malicious mobile apps both among users and in the tech industry more broadly. Meta suggests that users think about three factors to protect themselves against potentially malicious apps. First, carefully consider why an app might be requesting credentials for another service. A flashlight app shouldn't need to be linked to a social media account at all, and you should be able to play a game or use a photo editing app without a login requirement. Second, consider the app's reputation as best you can. Check to make sure you're downloading the exact app you intend to and not a lookalike. And third, think about whether an app offers the features it promises before—and certainly after—“logging in” to a required account. If your photo editor isn't doing much photo editing, there's probably a problem.
