Meta detects 400 malicious apps on Android and iOS apps

by James · October 17, 2022

Fraudsters are stealing Facebook users’ information through malicious apps downloaded from Apple and Google’s software stores, according to Facebook’s parent company Meta.

The company announced on Friday that it uncovered more than 400 malicious Android and iOS apps this year that target Facebook users to steal their login information. Meta said it reported findings to Apple and Google and the applications have been removed.

Meta’s director of threat disruption, David Agranovich, said many of the apps are advertised as having “fun or useful functionality”, including photo editors, virtual private networks, mobile games and health trackers. In reality, most of them have limited features and sometimes ask users to log in with their Facebook accounts to unlock more features. This is a way for fraudsters to get hold of Facebook users’ information.

“Many of the apps provided little or no functionality until you signed in, and most provided no functionality even after a person agreed to sign in,” Agranovich said during a press conference.

He also noted that this type of fraudulent activity does not target specific geographic regions, instead acting as a “spray and pray” tactic to obtain as many login credentials as possible.

Apple told SC Media that 45 out of 400 malicious apps were on iOS and have already been removed from the App Store. “The App Store was designed to be a safe and trusted place for users to download apps, and we have zero tolerance for fraud or apps designed with malicious intent,” an Apple spokesperson said in an email.

SC Media reached out to Google today to confirm the number of malicious apps on Android and has not heard back from the company.

Alon Nachmany, Field CISO at AppViewX, told SC Media that Google is rumored to have only checked the original version of apps, but not continuously performed checks when apps are updated. On the contrary, he noted that Apple’s security controls are stricter, and app permissions are not as simple or open as they are on Android.

“It’s critical to recognize that there is a balance between accessibility and security,” Nachmany said.

Tzachi Zornstain, head of supply chain security at Checkmarx, noted that in this case between Apple and Google, it’s hard to say that one company’s security checks are more effective than the other.

“Both have devoted a lot of effort to improving application security, and it’s not as easy as many people think,” Zornstain said during an interview with SC Media.

In fact, both Apple and Google have struggled for years to detect and remove malicious apps, with many vendors reporting malware masquerading as legitimate software in both stores.

One of the latest examples is the discovery of a new ad fraud campaign “Scylla” by HUMAN’s Satori Threat Intelligence & Research team last month. The apps targeted multiple adware development kits, with more than 75 Android apps and 10 iOS apps totaling 13 million downloads before they were removed.

The researchers noted that ‘Scylla’ is the third wave of an attack dating back to August 2019. The second wave which they named ‘Charybdis’ was detected in late 2020.

Bitdefender also identified 35 malicious apps representing more than 2 million downloads on Google Play in August this year. The security vendor found that these apps hid their presence by renaming themselves after installation to make detection and removal difficult.

As the US midterm elections approach, Agranovich told Bloomberg during an interview that Meta will be vigilant and continue to monitor security threats on its platform.