Facebook log-in thieves: a list of 400+ malicious apps

Meta has identified over 400 malicious Android and iOS apps designed to steal Facebook log-in information.

Meta reported its findings to Apple and Google, saying it was helping affected people secure their accounts.

“These apps were listed on the Google Play Store and Apple’s App Store and disguised as photo editors, games, VPN services, business apps, and other utilities to trick people into downloading them,” Meta said.

Malicious apps were disguised as:

• Photo editors, including those that claim to allow you to “turn yourself into a cartoon”
• VPNs promising to boost browsing speed or grant access to blocked content or websites
• Phone utilities, such as flashlight apps, that claim to brighten your phone’s flashlight
• Mobile games falsely promising high-quality 3D graphics
• Health and lifestyle apps such as horoscopes and fitness trackers
• Business or ad management apps offering hidden or unauthorized features not found in official apps by tech platforms.

Malware apps are disguised to look fun or useful, and many of them are capable of avoiding detection. Typically, their developers post positive yet fake reviews to cover up the negative ones and trick victims into installing malware.

When a person installs the malicious app, they are prompted to “log-in with Facebook” before they can enjoy the promised features. That way, the attacker hopes to gain full control over the victim’s account.

“There are many legitimate apps that offer the features listed above or that may ask you to sign in with Facebook in a safe and secure way. Cybercriminals know how popular these types of apps are and use these themes to trick people and steal their accounts and information,” Meta noted.

Some telltale signs can help you identify a malicious app. It could be fake if the app requires you to provide your Facebook information. Always look at the app’s download count, ratings, and reviews, especially the negative ones.

Here’s the list of 400+ apps Meta identified as malicious. If you believe you might have been affected, immediately reset and create new strong passwords, enable two-factor authentication, and turn on log-in alerts.

More from Cybernews:

Research “milestone” could improve brain-mimicking computing

Russians turn to illicit markets for an "emergency rescue" from conscription

How organizations delay data breach reports to bury bad news

Cyber pet peeve: I accidentally let an intruder in

Hackers might attempt to influence midterm elections, FBI and CISA warn

Subscribe to our newsletter