Tech giant Meta said it has notified a million Facebook users that their usernames and passwords might have been stolen after downloading one of over 400 malicious Android and iOS smartphone apps.
The apps were discovered in the Google Play Store and Apple's App Store over the course of the last year, posing as popular types of software.
According to Meta, four in 10 of the apps posed as photo editors, while others posed as games, VPNs, health trackers, business applications, flashlight enhancers and other services to trick users into downloading them.
Users who downloaded the malicious apps were asked to log in with their Facebook account before they could use the features they were promised – and if the user entered their username and password, it handed their credentials to the attackers.
Many of the apps were useless and did not provide the functions they advertised – because once the user provided their credentials, the attackers had already got what they wanted.
Also: A security researcher easily found my passwords and more: How my digital footprints left me surprisingly over-exposed
With stolen login information, attackers can gain access to a person's account, providing them with the ability to access private information, or send malicious phishing messages to the victim's contacts. And if the victim also uses their Facebook account to log in to other applications and services, the attackers will also be able to access those – and potentially gain access to additional sensitive data.
As the downloads have been developed outside the Meta ecosystem, the tech firm can't be certain how many people have installed the malicious apps – but the company has notified around a million users that they may have been put at risk.
"In this case, we are being kind of over broad, over cautious and notifying anyone we think may have been exposed to applications like this, which is about a million people," David Arganovich, global director of threat disruption at Meta, told ZDNET.
The notifications have two aims – one is to inform people they've downloaded a malicious app and tell them what steps they should take to secure their account if they've entered their login details. The second is to warn people who've potentially downloaded the apps and are yet to enter their account details that they shouldn't do this.
If the attackers have access to a Facebook account, they also have the freedom to change the password and lock the victim out – and Meta says that when this has happened, it's worked to restore access to the user.
"We're also taking steps in the course of our investigation to remediate accounts where we can that do appear to have been compromised and restore access for users who might have actually lost access to their account," said Arganovich.
Meta is also providing advice to users on how to spot a malicious app. The suggested tell-tale signs include apps asking for social media credentials – especially if there's no need for the app to need this data. Another sign is the developer advertising features that the app doesn't have. A string of poor reviews with complaints that the app doesn't work as advertised could be a key sign that something isn't right.
"I'd encourage people to look at the app store reviews particularly the negative reviews, because you may see people explicitly calling out the fact that the app was a scam, that their account may have been hacked, or that it was otherwise misleading, and it's functionality or purpose," Agranovich said.
If users suspect they've downloaded a malicious app that has provided cyber criminals with their login information, it's recommended that they create a new, strong password – one that isn't used across multiple websites.
Also: How to keep your bank details and finances more secure online
It's also recommended that users apply multi-factor authentication to their Facebook account to provide an extra barrier to unauthorized logins. Users should also turn on login alerts for notifications that someone could be trying to access their account.
Facebook has detailed a list of the malicious apps for Android and iOS in their security warning about accounts being compromised. The company also reported the findings to Google and Apple.
"All of the apps identified in the report are no longer available on Google Play. Users are also protected by Google Play Protect, which blocks these apps on Android," a Google spokesperson told ZDNET. The apps have also been removed from the Apple App Store.