Facebook warns 1 million users whose logins were stolen by scam mobile apps

Meta is warning Facebook users about hundreds of apps on Apple and Google’s app stores that were specifically designed to steal login credentials to the social network app. The company says it’s identified over 400 malicious apps disguised as games, photo editors, and other utilities and that it’s notifying users who “may have unknowingly self-compromised their accounts by downloading these apps and sharing their credentials.” According to Bloomberg, a million users were potentially affected.

In its post, Meta says that the apps tricked people into downloading them with fake reviews and promises of useful functionality (both common tactics for other scam apps that are trying to take your money rather than your login info). But upon opening some of the apps, users were prompted to log in with Facebook before they could actually do anything — if they did, the developers were able to steal their credentials.

Meta says that it reported the apps to Google and Apple and got them taken down, but it’s still not a great look that they made it onto the stores in the first place. That’s especially true for Apple; for years, the company has argued against sideloading apps for the iPhone, saying that the ability to install apps not in the App Store is “a cyber criminal’s best friend.” It argues that its App Review process, which theoretically vets apps before they’re made available on the App Store, has helped it build a “trusted ecosystem for millions of apps.” Despite this, the company has struggled to reign in scam apps on its platform, with some reportedly raking in millions of dollars.

To be fair, Facebook’s report indicates that the issue is significantly worse on the Play Store — out of the 402 malicious apps on its list, 355 were for Android, and 47 were for iOS. Interestingly, the Android ones spanned a wide range of genres, from games, VPNs, photo editors, and horoscope apps, every single one for iPhone was related to managing business pages or ads. (This didn’t necessarily mean they weren’t reasonably suspicious; it’s hard to understand how “Very Business Manager” got past Apple’s App Review process.)

Neither Apple nor Google immediately responded to The Verge’s request for comment.

When it comes to apps that attempt to steal your login info, Meta’s post details some good warning signs to look out for — if the app doesn’t do what it says it does, locks all functionality behind a login, or has loads of (potentially buried) negative reviews, it’s probably best to give it a pass and find another, more reputable app.