Meta warned on Friday that one million Facebook users have downloaded or used innocent-looking mobile apps designed to steal their social network password.
“We’re going to let a million people know that they may have been exposed to these apps — that doesn’t necessarily mean they were hacked,” David Agranovich, a director of Meta’s cybersecurity teams, said at a conference. a press conference.
Since the beginning of the year, the parent company of Facebook and Instagram has identified more than 400 “malicious” applications, available on smart phones operated by iOS (Apple) and Android (Google).
“These apps were present on the Google Play Store and Apple’s App Store and posed as photo editing tools, games, VPNs and other services,” Meta said in a statement.
Once downloaded and installed on the phone, these booby-trapped apps asked users to enter their Facebook credentials in order to use certain features.
“They’re just trying to trick people into giving up their confidential information to give hackers access to their accounts,” said David Agranovich.
He believes that the developers of these applications were probably looking to recover other passwords, not just those of Facebook profiles.
“Targeting seemed pretty undifferentiated,” he noted. The goal seemed to be “to get as many IDs as possible.”
Meta said it shared its findings with Apple and Google.
Apple did not respond to a request from AFP, but Google said it had already removed most of the applications reported by Meta from its Play Store.
“None of the apps identified in the report are yet available on Google Play,” a Google spokesperson wrote to AFP.
More than 40% of reported apps were used to edit images. Others consisted of simple tools, to transform his telephone into a flashlight for example.
David Agranovich advised users to be wary when a service asks for credentials for no good reason or makes “too good to be true” promises.