Meta Says It Has Busted More Than 400 Login-Stealing Apps This Year

Both Apple and Google have struggled for years to keep malicious apps out of their official mobile app stores and away from users’ phones. Simple programs like flashlight apps, photo editing tools, and games can mask efforts to grab user data, authorize rogue charges, or steal login credentials to a legitimate service. Today, Meta said it has found and reported more than 400 apps this year in official app stores that were set up to steal victims’ Facebook credentials.

Meta will notify 1 million users that they may have been exposed to one of the rogue applications. That doesn’t mean all those users had their Facebook accounts compromised, but Meta researchers say they are being cautious and casting a wide net because they have limited visibility beyond their own platform to know exactly what went on with each user. Of the 400 programs Meta flagged and reported, 45 were iOS apps. The company says that the activity didn’t appear to be targeted toward a particular geographic region or subset of people.

“It’s a highly adversarial space, and some of these apps manage to evade detection,” says David Agranovich, Meta’s director of threat disruption. “Flashlight apps, photo editors, mobile games. There are many legitimate applications on the Apple and Google stores, but cybercriminals know how popular these types of apps are and use that to their advantage. We want to deter threat actors and keep people safe.”

Agranovich says that this group of 400 apps from 2022 targeted only Facebook, not Instagram and WhatsApp, the company’s other popular platforms. But the company has tracked threats from similar credential-stealing apps that are focused on those services.

Google Play and Apple’s App Store each have their own vetting systems, but some malicious apps still slip by. Credential theft is a classic focus of developers of these rogue apps, and attackers often craft their ploys to take over high-value accounts like Facebook profiles that both contain a lot of data themselves and are also used as single sign-on platforms to log in to other services. Nearly 47 percent of the apps Meta flagged masqueraded as photo editing services. About 15 percent claimed to be business utilities. And nearly 12 percent pretended to be VPNs, while “phone utilities,” games, and lifestyle made up the remaining categories.

Google says that the Android apps Meta identified have all been taken down from Google Play and that the company had independently caught and removed many of them throughout the year before Meta’s disclosures.

Apple said that it doesn’t tolerate fraudulent or malicious apps in the App Store and that the 45 iOS apps Meta researchers flagged have already been removed.

Both companies have struggled to police their official app stores, and each faces its own version of the same challenges. For Google, Android’s open ecosystem means that users can download apps from third-party app stores beyond Google’s control. This makes it even more problematic when malicious apps show up in Play, but it also gives users leeway to source apps where they want to (ideally, if they know they can trust a particular developer). The closed iOS ecosystem has far fewer threats from rogue apps outside the App Store, but as a result all users must get their apps from Apple, making it even more valuable for attackers to sneak their malicious apps in.