Update: The names of the apps are now known. Apple has removed them from the App Store, but the apps also need to be removed from devices – see the list added to the end of the piece.
Meta has issued a Facebook security warning to around one million users that their login credentials may have been stolen by scam apps. While most of the apps were Android ones, 47 of them were iOS apps found in Apple’s App Store …
Many apps and websites offer third-party login options, with the most common ones being:
- Login with Facebook
- Login with Google
- Login with Apple
The intention behind these login methods is to make it quicker and easier to start using an app, by skipping the need to register an account. However, a bad actor can also use this approach to steal your credentials.
Engadget reports that this is what a whole bunch of scam apps have done with the “Login with Facebook” option.
Facebook security warning
If you have used one of the known scam apps, Meta will push a message to you in the Facebook app:
Meta is warning 1 million Facebook users that their account information may have been compromised by third-party apps from Apple or Google’s stores. In a new report, the company’s security researchers say that in the last year they’ve identified more than 400 scammy apps designed to hijack users’ Facebook account credentials.
According to the company, the apps are disguised as “fun or useful” services, like photo editors, camera apps, VPN services, horoscope apps, and fitness tracking tools. The apps often require users to “Log In with Facebook” before they can access the promised features. But these login features are merely a means of stealing Facebook users’ account info. And Meta’s Director of Threat Disruption, David Agranovich, noted that many of the apps Meta identified were barely functional.
The site says that the iOS apps identified mostly appeared to be targeting business users, with names like Meta Business, FB Analytic, and so on.
A security notice from Meta
You may have logged into Facebook from a malicious app designed to steal yourFacebook account information.
To protect your information we recommend you secure your account immediately.
Meta has provided the full list of apps to both Apple and Google, so that they can be removed from their respective app stores.
Apple of course argues that its app review process keeps users safe from scams, and this is why it shouldn’t be obliged by antitrust concerns to allow third-party app stores or sideloading of iOS apps.
This latest revelation could be said to provide ammunition to both sides of the debate. On the one hand, dozens of scam apps made it through app review despite the fact that (a) they were stealing credentials and (b) scarcely worked. On the other, there were far fewer of these apps in the App Store than in Google’s Play Store.
Full list of affected iPS apps
If you have installed any of these apps, you should remove the app and then change your Facebook password.
Photo: Dawid Sokołowski/Unsplash
