Facebook says it has spotted hundreds of malicious mobile apps that abuse its single sign-on (SSO) feature to steal people’s login credentials.
While it has reported the apps to Google and Apple, the operators of the world’s two largest mobile app stores, users who have already installed these apps will remain under threat until they are deleted.
In a blog post, the social media giant explained it identified over 400 malicious apps on Android and iOS. These apps range from fake VPNs to photo editors, mobile games, business apps, utility apps, and health and lifestyle services.
Dangerous mobile apps
When installed, the apps in question require users to “log in with Facebook” to use their features. However, doing so results in data being stolen, allowing threat actors to use their accounts for whatever they see fit.
Sometimes, threat actors would use Facebook to distribute malware and viruses, launch stage-two ransomware attacks, take over pages and groups the compromised account was administrating, amplify fake news, or boost fraudulent apps with positive reviews.
Photo editor apps are by far the most popular type, comprising 42.6% of the entire batch. Business utility apps are second with 15.4%, followed by phone utility services (14.1%).
While most of these apps can only be found on third-party app repositories and standalone websites (which should be cause for concern, to begin with), some manage to bypass security measures set up by Google and Apple, and end up getting listed on the Play Store and App Store. Facebook managed to get all the apps listed on official repositories removed, but for the others it can’t do much, right now.
To protect against such apps, Facebook suggests users look for “telltale signs” that differentiate malicious, from legitimate apps, including requiring social media credentials to run, the app’s reputation, or promised features.
The full list of the apps can be found here (opens in new tab).