Earlier this month, security researchers from Meta found 400 malicious Android and iOS apps designed to steal user Facebook login credentials.
Such mobile malware, which Malwarebytes detects typically as Android/Trojan.Spy.Facestealer, usually arrives as an app disguised as a useful or entertaining tool. But before the app can be fully used, it asks users to login to their accounts, at which point their usernames and passwords are sent to the fraudsters.
Stolen credentials can be used to compromise Facebook accounts. From there, the criminals can harvest more data about the original account owner, message friends or family members and scam them, or use these accounts to promote the FaceStealer app (among other things).
Meta listed a short description of FaceStealer apps listed on both the Google Play Store and the Apple App Store:
- Photo editors, including those that claim to allow you to “turn yourself into a cartoon”
- VPNs claiming to boost browsing speed or grant access to blocked content or websites
- Phone utilities such as flashlight apps that claim to brighten your phone’s flashlight
- Mobile games falsely promising high-quality 3D graphics
- Health and lifestyle apps such as horoscopes and fitness trackers
- Business and ad management apps claiming to provide hidden or unauthorized features not found in official apps by tech platforms.
If the apps appear to have positive reviews, that’s because the developers are thought to be creating five-star reviews to bury the negative ones. This is a known social engineering tactic to entice users further to try an app.
FaceStealer has been around for a while. The apps disappear after making headlines, and then FaceStealer pops up again as a different app. And while some apps are reported or actively detected, many evade detection and end up on legitimate app stores.
“The industry, in general, has not been great at detecting these, and everyone is playing catch-up,” said Nathan Collier, Malwarebytes Senior Malware Intelligence Analyst for Android.
Meta said it is alerting Facebook users who may have inadvertently “self-compromised” themselves by using their Facebook credentials to use the malicious apps.
If you think you’ve entereed your Facebook credentials into a dodgy app, change your password immediately. Don’t reuse passwords you use on other accounts, and make sure you enable two-factor authentication (2FA) on your Facebook account. You can also let Facebook alert you of attempted log-ins to your account.
Finally, report all suspicious apps using Meta’s Data Abuse Bounty program.