Facebook is advising its users to beware of fake and malicious apps that attempt to hijack your credentials for the popular social network. In a report published on Friday, the company revealed that it had uncovered more than 400 malicious Android and iOS apps disguised as legitimate programs designed to fool people into signing in with their Facebook passwords. The apps identified have since been removed by Apple and Google, however, the threat itself remains as similar apps can always pop up to take their place.
How these apps disguised themselves
Listed on Apple’s App Store and Google Play, the malicious apps impersonated a range of seemingly genuine programs.
Some were disguised as photo editors that promised to turn your photo into a cartoon. Others spoofed VPN apps that claimed to increase your internet speed or provide access to blocked websites. Phony games touted high-quality 3D graphics. Some of them appeared as flashlight apps that promised to improve your phone’s built-in flashlight. Others masqueraded as fitness apps and horoscope programs. There were even so-called business and ad management apps that claimed to offer hidden or unauthorized features not found in other programs.
SEE: Mobile device security policy (TechRepublic Premium)
How these apps worked
These malicious apps all tried to pull off the same scam. After being installed, the app would ask the user to “Log in with Facebook” in order to take full advantage of all its features. If the user complied, their Facebook credentials would then be compromised by the cybercriminals behind the apps, letting them gain full access to the account, view private or confidential information, and send messages to the person’s friends. To hide the negative reviews from people who fell for the scam, the criminals would post fake reviews touting the apps.
Both Apple and Google outfit their app stores with security aimed at detecting and blocking malicious software. But some apps are able to skirt past the security detection. After discovering the apps in question, Facebook reported them to Apple and Google, which removed them from their respective app stores.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
How to avoid phony and malicious apps
Many apps and websites offer an option to log in with your Facebook account, so it’s only natural that cybercriminals have exploited this capability. As such, how can you tell a phony app from a legitimate one? Here are a few questions to ask, according to Facebook:
- Does the app require social media credentials to use it? Will the app not function if you fail to provide your Facebook username and password? For example, be wary of a photo editor or fitness app that claims to require your Facebook credentials before you can use it.
- Is the app reputable? Examine its download count as well as ratings and reviews. Make sure you seek out the negative reviews.
- Does the app provide the functionality it promises, either before or after you sign in?
What to do if you fall for a scam
If you think you’ve installed a malicious app and have already signed in with your Facebook or social media credentials, you should first delete the app from your mobile device.
- Next, reset the password for the social media account you used to sign in. Remember to create a strong and unique password and don’t use it across multiple sites. If your business needs help managing passwords, the experts at TechRepublic Premium have put together a policy to help. Download our Password Management Policy for more information.
- Set up two-factor authentication for your account using an authenticator app.
- Enable log-in alerts to be notified if someone tries to access your account. Review previous sessions for your account to confirm which devices have access to it.
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays