Meta security researchers discovered 400 malicious Android and iOS apps designed to steal user Facebook login credentials earlier this month. Facestealer is typically delivered in the form of an app disguised as a useful or entertaining tool. However, before users can use the app fully, it requires them to login to their accounts, at which point their usernames and passwords are sent to the fraudsters.
Stolen login information can be used to compromise Facebook accounts. From there, the criminals can gather more information about the original account owner, message and scam friends or family members, or use these accounts to promote the FaceStealer app (among other things).
Meta provided a brief description of the FaceStealer apps available on the Google Play Store and the Apple App Store:
- Photo editors, including those that claim to be able to “transform you into a cartoon”
- VPNs that claim to increase browsing speed or provide access to restricted content or websites
- Phone utilities such as flashlight apps that claim to brighten the flashlight on your phone
- Mobile games that falsely claim to have high-quality 3D graphics
- Horoscopes and fitness trackers are examples of health and lifestyle apps.
Apps claiming to provide hidden or unauthorized features not found in official tech platform apps for business and ad management.
If the apps appear to have positive reviews, it’s because the developers might have fabricated five-star reviews in order to hide the negative ones. This is a well-known social engineering technique used to entice users to try an app.
FaceStealer has been around for quite some time. After making headlines, the apps vanish, and FaceStealer reappears as a different app. While some apps are reported or actively detected, many others slip through the cracks and end up in legitimate app stores.
“In general, the industry has been slow to detect these, and everyone is catching up,” said Nathan Collier, Malwarebytes Senior Malware Intelligence Analyst for Android.
Meta stated that it is notifying Facebook users who may have inadvertently “self-compromised” by using their Facebook credentials to access malicious apps.
If you suspect you’ve entered your Facebook credentials into a malicious app, change your password right away. Don’t reuse passwords from other accounts, and ensure to able two-factor authentication (2FA) on your Facebook account. You can also configure Facebook to notify you of attempted logins to your account.