Fraudsters are stealing Facebook users' information through malicious apps downloaded from Apple and Google's software stores, according to Facebook's parent company Meta.
The company announced Friday that it uncovered more than 400 malicious Android and iOS apps this year that target Facebook users to steal their login information. Meta said it reported findings to Apple and Google and the applications have been removed.
Meta's Director of Threat Disruption, David Agranovich, said that many of the apps are advertised as having "fun or useful functionality," including photo editors, virtual private networks, mobile games, and health trackers. In reality, most have limited features, sometimes asking users to log in with their Facebook accounts to unlock additional capabilities. This is a way for fraudsters to obtain Facebook users' information.
"Many of the apps provided little to no functionality before you logged in, and most provided no functionality even after a person agreed to login," Agranovich said during a press briefing.
He also noted that this type of fraudulent activity does not target specific geographic regions, instead, it operates as a "spray and pray" tactic to get as many login credentials as possible.
Apple told SC Media that 45 of 400 malicious apps were on iOS and have already been removed from the App Store. "The App Store was designed to be a safe and trusted place for users to download apps, and we have zero tolerance for fraud or apps designed with malicious intent," An Apple spokesperson said in an email.
SC Media reached out to Google today to confirm the number of malicious apps on Android and has not heard back from the company.
Alon Nachmany, Field CISO at AppViewX, told SC Media that it is rumored that Google has only checked the original version of apps but not continuously performed checks when apps are updated. On the contrary, he noted that Apple’s security checks are stricter, and app permissions are not as easy or open as they are on Android.
“It is critical to acknowledge that there is a balance between availability and security,” Nachmany said.
Tzachi Zornstain, head of supply chain security at Checkmarx, noted that in this case between Apple and Google, it is difficult to say one company’s security checks are more effective than the other.
“Both of them have devoted lots of efforts to improve their application security, and it is not as easy as many people think,” Zornstain said during an interview with SC Media.
Indeed, both Apple and Google have struggled for years to detect and remove malicious apps, with numerous vendors reporting malware disguised as legitimate software in both stores.
One of the most recent examples is the discovery of a new ad fraud campaign 'Scylla' by HUMAN‘s Satori Threat Intelligence & Research team last month. The apps targeted several advertising software development kits, featuring more than 75 Android apps and 10 iOS apps with 13 million total downloads before they were taken down.
The researchers noted that ‘Scylla’ is the third wave of an attack that dated back to August 2019. The second wave which they named ‘Charybdis’ was uncovered in late 2020.
Bitdefender also identified 35 malicious apps representing more than 2 million downloads on Google Play in August this year. The security vendor found that these apps concealed their presence by renaming themselves after installation to make detection and removal difficult.
As the US midterm elections are coming up, Agranovich told Bloomberg during an interview that Meta will stay vigilant and continue monitoring security threats on its platform.