The 400 malicious Android and iOS apps were disguised as photo editors, games, and VPNs listed on App Store and Play Store, but actually targeted Facebook users in an attempt to steal their Facebook login information.
Meta has shared the findings with Apple and Google and intends to help potentially impacted users to retrieve or secure their accounts, and has provided more information to enable users, industry peers, security researchers, and policymakers to protect their accounts.
The apps listed on the Google Play Store and Apple’s App Store were possing to be photo editors, games, VPN services, business apps, and other utilities such as:
- Photo editors, and animated effects
- VPNs apps granting access to blocked websites
- Phone utilities such as flashlight apps that claim to brighten the phone’s flashlight
- Mobile games
- Health and lifestyle apps
- Business or ad management apps
The highest number of these malicious apps claimed to be photo editors, accounting for 42.6%. Meta states that all of these apps were taken down from both Android and iOS app stores prior to the company making the announcement of this report.
The company also insists that the users stay alert and not compromise their login credentials or not provide access or permissions to such apps, as it may be harmful to their account security, and overall digital well-being.
These apps generically pose to offer utilities such as photo editing functionalities, which are commonly used and widely popular. Then cover up the reviews unveiling the true nature of fake reviews, and ask for Facebook credentials for the users to sign-in, in and potentially gain access to the user's account.
Here are a few steps to follow to ensure protection from these malicious apps:
Before using Facebook logins to sign in to an app look for the following red flags:
- Requiring social media credentials to use the app: Is the app unusable if you don’t provide your Facebook information? For example, be suspicious of a photo-editing app that needs your Facebook login and password before allowing you to use it
- The app’s reputation: Is the app reputable? Look at its download count, ratings, and reviews, including negative ones
- Promised features: Does the app provide the functionality it says it will, either before or after logging in?
Follow the following steps if your account was affected or compromised:
- Reset and create new strong passwords. Never reuse your password across multiple websites
- Enable two-factor authentication, preferably using an Authenticator app, to add an extra security layer to your account
- Turn on log-in alerts so you’ll be notified if someone is trying to access your account. Review your previous sessions to ensure you recognize which devices have access to your account
Follow Us/socialsamosa/media/post_banners/nlARdkbAZwDcgNSi0oyp.jpg)
/socialsamosa/media/media_files/2025/06/09/leaderboard-new-pulse-772575.png)
/socialsamosa/media/agency_attachments/PrjL49L3c0mVA7YcMDHB.png)
