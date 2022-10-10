Meta has revealed that the passwords of over a million Facebook users have been compromised by a series of malware apps that purport to be anything from photo editors to VPNs.

David Agranovich, Director of Threat Disruption at Meta, revealed the company had identified more than 400 malicious Android and iOS apps this year that were designed to steal Facebook login information and compromise people’s accounts.

These apps were listed on the Google Play Store and Apple’s App Store and disguised as numerous utilities.

These include photo editors that claim to “turn yourself into a cartoon”; VPNs claiming to boost browsing speed or grant access to blocked content or websites; flashlight apps; mobile games; horoscopes and fitness trackers; business or ad management apps “claiming to provide hidden or unauthorised features” not found in official apps.

When an app is installed, it will ask the user to login with Facebook in order to use the app — a common request from non-malicious apps. Once entered, the malware steals their username and password.

“Our sense here is that this wasn’t kind of a specific geographically targeted thing,” Agranovich said.

“This was more an attempt to just get access to as many login credentials as possible.”

Meta now has the task of informing one million Facebook users their passwords had been compromised.

Google claims none of the apps identified in the report are available on Google Play, while Apple said, of the 400, only 45 were available through its App store, and have since been removed.

A full list of the dodgy apps is available on Meta’s website.