Facebook says up to 1 million people have been hacked by rogue iPhone and Android apps
Facebook says up to 1 million people may have had their usernames and passwords stolen and misused by beauty apps, photo editors, games and other “rogue” apps in its two main app stores.
the social media giant has listed 400 apps, including beauty filters, tools like torch patches, VPNs and business management apps in Android’s PLay Store and Apple’s App Store.
The company says the rogue apps can give attackers “full access to a person’s account”, allowing them to launch cash anchor fraud. The stolen credentials can also be used to access other services that use Facebook logins as an entry.
The company says it has removed rogue apps and is contacting affected people.
“We identified more than 400 malicious Android and iOS apps this year that target people across the Internet to steal their Facebook credentials,” said David Agranovich, director of threat disruption at Facebook.
“We reported our findings to Apple and Google and are helping potentially affected individuals learn more about how to stay safe and secure their accounts.”
“Once a person installs the malicious app, it may ask them to sign in with Facebook before they can use its promised features,” he said.
“If they provide their credentials, the malware steals their username and password.”
Some of the rogue apps claim to allow you to “turn yourself into a cartoon”. Other names, such as “Cool Filter Editor” and “Beauty Camera Plus”, promise filters and effects.
Facebook says the list includes rogue VPN apps, such as Fast VPN Proxy, which claim “to increase browsing speed or provide access to blocked content or websites”.
And the list (which Facebook has published here) includes phone tools like flashlight or flashlight apps that claim to light up your phone’s torch facility.
It also includes health and lifestyle apps such as horoscopes and fitness trackers, while business or ad management apps that claim to offer hidden or unauthorized features not found in official apps are also named.
Facebook has urged people to look out for some telltale signs of an app’s fraudulent intentions.
“Is the app useless if you don’t provide your Facebook information? For example, be suspicious of a photo-editing app that needs your Facebook login and password before letting you use it.”
It also recommends checking if the app is recognized. “Look at the number of downloads, ratings and reviews, including negative ones.”
General advice for people looking to protect themselves also includes regularly changing passwords and enabling two-factor authentication, which requires anyone who wants to log into an account to use a one-time code sent to a different email address or SMS number.
“Turn on login notifications so you’ll be notified if someone tries to access your account,” the company adds. “Be sure to review your previous sessions to ensure you recognize which devices have access to your account.”