Facebook is contacting about 1 million users of its platform about their account details potentially being compromised by malicious Android or iOS applications.
In a blog post on Oct. 7, Facebook’s parent company Meta said its researchers had detected 400 malicious Android and iOS apps over the past year that were designed to steal usernames and passwords belonging to Facebook users and to compromise their accounts. The poisoned apps were uploaded to Google’s and Apple’s app stores and masqueraded as legitimate games, VPN services, photo applications, and other utilities.
When users downloaded and attempted to use one of the malicious apps, it would prompt them to enter the user’s Facebook username and password. If a user entered their credentials, attackers would gain full access to the individual’s account, private information, and their friends on the social media platform, Meta said.
“This is a highly adversarial space, and while our industry peers work to detect and remove malicious software, some of these apps evade detection and make it onto legitimate app stores,” David Agranovich, Meta’s director of threat disruption, and Ryan Victory, malware discovery and detection and engineer, wrote in the blog post.
Meta reported the apps to Apple and Google, and the researchers noted, “We are also alerting people who may have unknowingly self-compromised their accounts by downloading these apps and sharing their credentials and are helping them to secure their accounts.”
Posed as Legitimate Apps
Many of the iOS and Android apps that Meta detected on Apple and Google’s mobile stores purported to have some fun or useful functionality, like music players and cartoon image editors. A plurality (42%) posed as photo editors, some of which claimed they could turn a user’s photo into a cartoon.
About 15% purported to be business utilities, such as VPNs that claimed to help users access blocked content and websites or to boost their Internet browsing speeds; 14% were phone utilities, such as flashlight apps that purportedly helped brighten the phone’s flashlight.
Mobile games accounted for about 11% of the 400 or so malicious apps that Meta’s researchers discovered. Fake reviews might have helped boost the reputation of some of these apps and helped hide potential negative reviews of these apps, Meta said.
Facebook did not say how many of the 400 apps were Android-based. But Apple said that out of the 400 total apps mentioned in Meta’s blog post, 45 were on iOS — leaving 355 for Android.
A Google spokesman says all the apps identified in the Meta report are no longer available on Google Play. “Users are also protected by Google Play Protect, which blocks these apps on Android,” he said.
Apple also confirmed that the apps were removed from the App Store.
An Ongoing Issue
The issue of malicious apps finding their way into Google and Apple’s official mobile stores is by no means new. Both companies have been dealing with the problem for years and have implemented numerous mechanisms for vetting third-party applications published to their stores.
However, malware authors have consistently been able to sneak their apps in anyway. One tactic that attackers have commonly used to bypass Google and Apple’s testing processes has been to separate the malicious capabilities of the software from the benign and using a dropper to install the malicious code later once the testing is complete.
Over the years, numerous vendors have reported discovering malicious apps disguised as legitimate software on both stores. One of the more recent examples is BitDefender’s discovery of 35 malicious apps on Google Play that together had some 2 million downloads. The security vendor found some of the apps, which were designed to serve ads, renamed themselves after installation to make detection and removal harder.
In July, Dr. Web reported discovering and reporting to Google nearly 30 adware Trojans on Google Play with combined downloads of more than 9.8 million.
While attackers have tended to target Play more heavily, there have been numerous similar instances on the Apple App Store as well. In September, Human Security’s Satori research team reported on a massive ad-serving operation that involved dozens of malicious apps on Google Play and at least nine on the Apple App Store. Together, the apps were downloaded about 13 million times since at least 2019.