"Google Play Store and Apple's App Store listed all these apps on their store for download to use and disguised as photo editors, VPN services, games, business apps, and other utilities to trick people into downloading them," the social media behemoth said in a report shared with The Hacker News.
42.6% of the rogue apps were photo editors, followed by business utilities (15.4%), phone utilities (14.1%), VPNs (11.7%) games (11.7%), and lifestyle apps (4.4%). Interestingly, a majority of the iOS apps posed as ads manager tools for Meta and its Facebook subsidiary.Besides concealing its malicious nature as a set of seemingly harmless apps, fake reviews was also published by the operators of the scheme that were designed to offset the negative reviews left by users who may have previously downloaded the apps and to convince new audiences to trust there app to download.
The apps was ultimately built and functioned as a means to steal the credentials entered by users by displaying a "Login With Facebook" prompt.
"Once the login information has been stolen, attackers will definitely gain full access to a person's account and do things like message their friends or access private information," the company said.
All the apps in question have been taken down from both app stores and play store . The list of 402 apps (47 iOS apps and 355 Android) can be accessed here.
As always with apps like these, it's essential to exercise caution before downloading apps and granting access to Facebook to access the promised functionality. This includes scrutinizing app permissions and reviews, and also verifying the authenticity of the app developers.
The disclosure also comes as Meta-owned WhatsApp filed a lawsuit against three companies based in China and Taiwan for allegedly misleading over a million users into compromising their own accounts by distributing bogus versions of the messaging app.