IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Meta notifies around 1 million Facebook users of potential compromise through malicious apps

The vast majority of apps targeting iOS users appeared to be genuine apps for managing business functions such as advertising and analytics

Meta will send educational alerts to nearly 1 million users that it believes may have been impacted in a potential data breach after using a catalogue of mobile apps identified as malicious.

The parent company of Facebook discovered more than 400 apps on Android and iOS were specifically crafted to steal account credentials and is working with Google and Apple to help secure impacted accounts.

Related Resource

Cyber resiliency and end-user performance

Reduce risk and deliver greater business success with cyber-resilience capabilities

Whitepaper cover with title and text, and image of pyramid cyber-resilience modelFree Download

Meta's security researchers enumerated signals from its telemetry to decide which users would receive the notifications. These users may have used one of the 403 malicious apps, but it's thought that fewer than the total are actually compromised.

Notified users will be directed to a new dedicated help desk article that will guide them through why they've been notified and how to secure their accounts.

The company will not detail how it was able to identify which users may have been impacted by the malicious apps through fear of alerting threat actors to its security research methods.

The apps used by cyber criminals to steal account data were mostly on Android’s Google Play store. A total of 356 of the identified apps were Android-based compared to just 47 on Apple’s App Store.

Android apps are typically more vulnerable to these kinds of attacks since smartphones running the operating system are permitted to download apps from unverified third-party app stores. 

Users can be tricked into visiting links leading to malicious app stores where malware-laden apps can be downloaded and installed, executing myriad attacker-designated tasks such as password stealing.

Apple’s iPhones can only download apps from the Apple-controlled App Store which verifies the legitimacy of each one.

Generally speaking, this leads to a comparatively small number of cases involving mobile malware affecting Apple’s hardware, but the recent incident with Meta highlights how some entries can slip through security controls.

Meta said all of the apps involved were available on third-party app stores but also said they were listed on the official stores of Apple and Google, too.

The malicious apps took various disguises but the most common theme was fake photo-editing apps, comprising more than 42% of the total number. 

The vast majority of apps impacting iOS users appeared to be focused on business-related functions such as Facebook advert managers and analytics.

“This is a highly adversarial space and while our industry peers work to detect and remove malicious software, some of these apps evade detection and make it onto legitimate app stores,” said Meta in a blog post.

“We’ve reported these malicious apps to our peers at Apple and Google and they have been taken down from both app stores prior to this report’s publication. 

“We are also alerting people who may have unknowingly self-compromised their accounts by downloading these apps and sharing their credentials, and are helping them to secure their accounts.”

Meta said these apps typically claim to offer either a fun or useful service and greet users with a ‘Login with Facebook’ option at launch.

Choosing this option will lead the user to input their real Facebook account credentials which would then be stolen by the app and relayed to the cyber criminals behind it.

Many of the apps identified by the company were only accessible after logging in using the social media platform - a telltale sign of a fraudulent campaign, it said.

It’s especially threatening to businesses that rely on social media for key operations like marketing or advertising.

The case with iOS apps mainly targeting advert and analytics managers for Facebook pages is indicative of the attackers’ motives - trying to target users that definitely have business accounts. 

Examining the number and quality of reviews an app hs will usually indicate if it is trustworthy or not, but Meta said it’s common for such apps to generate fake reviews to increase the perception of authenticity.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download


"Unacceptable" data scraping lands Meta a £228m data protection fine
Policy & legislation

"Unacceptable" data scraping lands Meta a £228m data protection fine

29 Nov 2022
Meta cuts 11,000 staff, citing wrong call on investment
Careers & training

Meta cuts 11,000 staff, citing wrong call on investment

10 Nov 2022
Meta's earnings are 'cause for concern' and 2023 looks even bleaker
Business strategy

Meta's earnings are 'cause for concern' and 2023 looks even bleaker

27 Oct 2022
Meta ordered to sell Giphy in CMA ruling
mergers and acquisitions

Meta ordered to sell Giphy in CMA ruling

18 Oct 2022

Most Popular

Empowering employees to truly work anywhere

Empowering employees to truly work anywhere

22 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
The top 12 password-cracking techniques used by hackers

The top 12 password-cracking techniques used by hackers

14 Nov 2022