Meta mentioned it could notify roughly 1 million Facebook customers that their account credentials might have been compromised as a consequence of safety points with apps downloaded from Apple and Alphabet’s software program shops. The firm introduced Friday that it recognized greater than 400 malicious Android and iOS apps this 12 months that focus on web customers with the intention to steal their login info. Meta mentioned it knowledgeable each Apple and Google concerning the problem with the intention to facilitate the elimination of the apps.

The apps labored by disguising themselves as photograph editors, cell video games, or well being trackers, Facebook said.

Apple mentioned 45 of the 400 problematic apps had been on its App Store and have been eliminated. Google eliminated all of the malicious apps in query, a spokesperson mentioned.

“Cybercriminals know how popular these types of apps are, and they’ll use similar themes to trick people and steal their accounts and information,” mentioned David Agranovich, director of worldwide risk disruption at Meta. “If an app is promising something too good to be true, like unreleased features for another platform or social media site, chances are that it has ulterior motives.”

A typical rip-off would unfold, for instance, after a consumer downloaded one of many malicious apps. The app would require a Facebook login to work past fundamental performance, thus tricking the consumer into offering their username and password. Users may then, for instance, add an edited photograph to their Facebook account. But within the course of, they unknowingly compromised their account by giving the creator of the app entry.

Meta mentioned it could be sharing suggestions with potential victims on how they will keep away from being “re-compromised” by studying how you can higher spot problematic apps that pilfer credentials, whether or not for Facebook or different accounts. The malicious exercise occurred off Meta programs, Agranovich mentioned, including that not all 1 million individuals essentially had their passwords compromised.

© 2022 Bloomberg L.P.