Meta notifies around 1 million Facebook users of potential compromise through malicious apps

A screen with a stylised M logo and the word Meta sits on a reflective surface
(Image credit: Getty Images)

Meta will send educational alerts to nearly 1 million users that it believes may have been impacted in a potential data breach after using a catalogue of mobile apps identified as malicious.

The parent company of Facebook discovered more than 400 apps on Android and iOS were specifically crafted to steal account credentials and is working with Google and Apple to help secure impacted accounts.


Cyber resiliency and end-user performance

Reduce risk and deliver greater business success with cyber-resilience capabilities


Meta's security researchers enumerated signals from its telemetry to decide which users would receive the notifications. These users may have used one of the 403 malicious apps, but it's thought that fewer than the total are actually compromised.

Notified users will be directed to a new dedicated help desk article that will guide them through why they've been notified and how to secure their accounts.

The company will not detail how it was able to identify which users may have been impacted by the malicious apps through fear of alerting threat actors to its security research methods.

The apps used by cyber criminals to steal account data were mostly on Android’s Google Play store. A total of 356 of the identified apps were Android-based compared to just 47 on Apple’s App Store.

Android apps are typically more vulnerable to these kinds of attacks since smartphones running the operating system are permitted to download apps from unverified third-party app stores.

Users can be tricked into visiting links leading to malicious app stores where malware-laden apps can be downloaded and installed, executing myriad attacker-designated tasks such as password stealing.

Apple’s iPhones can only download apps from the Apple-controlled App Store which verifies the legitimacy of each one.

Generally speaking, this leads to a comparatively small number of cases involving mobile malware affecting Apple’s hardware, but the recent incident with Meta highlights how some entries can slip through security controls.

Meta said all of the apps involved were available on third-party app stores but also said they were listed on the official stores of Apple and Google, too.

The malicious apps took various disguises but the most common theme was fake photo-editing apps, comprising more than 42% of the total number.

The vast majority of apps impacting iOS users appeared to be focused on business-related functions such as Facebook advert managers and analytics.

“This is a highly adversarial space and while our industry peers work to detect and remove malicious software, some of these apps evade detection and make it onto legitimate app stores,” said Meta in a blog post.

“We’ve reported these malicious apps to our peers at Apple and Google and they have been taken down from both app stores prior to this report’s publication.

“We are also alerting people who may have unknowingly self-compromised their accounts by downloading these apps and sharing their credentials, and are helping them to secure their accounts.”

Meta said these apps typically claim to offer either a fun or useful service and greet users with a ‘Login with Facebook’ option at launch.

Choosing this option will lead the user to input their real Facebook account credentials which would then be stolen by the app and relayed to the cyber criminals behind it.

Many of the apps identified by the company were only accessible after logging in using the social media platform - a telltale sign of a fraudulent campaign, it said.

It’s especially threatening to businesses that rely on social media for key operations like marketing or advertising.

The case with iOS apps mainly targeting advert and analytics managers for Facebook pages is indicative of the attackers’ motives - trying to target users that definitely have business accounts.

Examining the number and quality of reviews an app hs will usually indicate if it is trustworthy or not, but Meta said it’s common for such apps to generate fake reviews to increase the perception of authenticity.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.