Facebook is notifying 1m users that their login details may have been stolen thanks to fake Android and Apple programmes posing as legitimate mobile apps.
“Our security researchers have found more than 400 malicious Android and iOS apps this year that were designed to steal Facebook login information and compromise people’s accounts,” said David Agranovich, Facebook’s director of threat disruption.
The malicious apps were uploaded to the Apple and Google Play app stores and posed as innocent, unrelated programmes. Some appeared to be photo-editing software, Facebook said, while others posed as free games or music players.
Apple’s iOS and Google’s Android are the two most widely used mobile phone operating systems in the world, being installed on billions of smartphones and tablet devices.
All of the malicious apps detected by Facebook had been removed from the iOS and Android app stores before the news was unveiled, Facebook added. About 10pc of the fake programmes were on the Apple App Store.
“We are also alerting people who may have unknowingly self-compromised their accounts by downloading these apps and sharing their credentials, and are helping them to secure their accounts,” said Mr Agranovich.
Such apps work by copying the look and feel of features such as the “Sign in with Facebook” button. Instead of checking the username and password with Facebook’s servers, malicious apps simply send them to their creators.
Stolen login information is prized by cyber criminals as it gives access to further personal information about the account holder that can be used for identity theft or other crimes of fraud.
Usernames and passwords are also bought and sold by cyber criminals who match stolen accounts with other information such as home addresses or credit card details obtained from other criminal sources.
Facebook advised users to be cautious about installing mobile apps that required a login to function: “Be suspicious of a photo-editing app that needs your Facebook login and password before allowing you to use it.”
While both Apple and Google attempt to vet new apps being published on their app stores, the task is a vast one: Apple says it hosts 2 million programmes, while Google’s Play Store – the Android equivalent – has slightly more, at around 2.65m.