Previously available on Apple’s App Store and Google Play, the fake apps mimicked photo editors, games, VPN services, and tools to trick users into sharing their Facebook credentials.
Facebook advises its users to beware of fake and malicious apps that try to hijack your credentials for the popular social network. In a report published on Friday, the company revealed it had discovered more than 400 malicious Android and iOS apps disguised as legitimate programs designed to trick people into logging in with their Facebook password. The identified apps have since been removed by Apple and Google, but the threat itself remains as similar apps can always appear to take their place.
How these apps disguised themselves
Listed in Apple’s App Store and Google Play, the malicious apps imitated a series of seemingly real programs.
Some were disguised as photo editors that promised to turn your photo into a cartoon. Others counterfeit VPN apps that claimed to increase your internet speed or allow access to blocked websites. Phony games praised high quality 3D graphics. Some of them appeared as flashlight apps that promised to improve your phone’s built-in flashlight. Others pretended to be fitness apps and horoscope programs. There were even so-called business and ad management apps that claimed to provide hidden or unauthorized features not found in other programs.
TO SEE: Mobile Device Security Policy (Tech Republic Premium)
How these apps worked
These malicious apps all tried to commit the same scam. Once installed, the app would ask the user to “log in with Facebook” to take full advantage of all its features. If the user complied, their Facebook credentials would be compromised by the cyber criminals behind the apps, giving them full access to the account, viewing private or confidential information, and sending messages to the person’s friends . In order to hide the negative reviews from people who have fallen for the scam, the criminals would post fake reviews promoting the apps.
Both Apple and Google equip their app stores with security aimed at detecting and blocking malicious software. But some apps can go past the security detection. After discovering the apps in question, Facebook reported them to Apple and Google, who removed them from their respective app stores.
TO SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
How to avoid fake and malicious apps
Many apps and websites offer an option to sign in with your Facebook account, so it’s only natural that cyber criminals have abused this option. As such, how can you tell a fake app from a legit one? Here are a few questions to ask, according to Facebook:
- Does the app need social media credentials to use it? The app won’t work if you don’t enter your Facebook username and password? For example, be wary of a photo editor or fitness app that claims to need your Facebook credentials before you can use it.
- Is the app reliable? Research the number of downloads, as well as ratings and reviews. Make sure to look for the negative reviews.
- Does the app deliver the functionality it promises, before or after you sign up?
What to do if you fall for a scam?
If you believe you have installed a malicious app and have already logged in with your Facebook or social media credentials, you should first remove the app from your mobile device.
- Next one, reset the password for the social media account you signed up with. Remember to create a strong and unique password and don’t use it on multiple sites. If your business needs help managing passwords, TechRepublic Premium’s experts have put together a policy to help. Download our Password management policy For more information.
- Established two-step verification for your account using an authenticator app.
- Switch login notifications to be notified if someone tries to access your account. Review past sessions for your account to confirm which devices can access it.
