Meta is warning Facebook users about hundreds of apps in the app stores that were designed to steal their login credentials. The company says it has identified over 400 malicious apps that masquerade as games, photo editors, and other utilities and that it is notifying users who may have inadvertently self-compromised their accounts. A million users may have been affected by the situation.

Meta says that the apps tricked people into download them with fake reviews and promises of useful functions, which are common tactics for other scam apps. The developers were able to steal users' credentials if they were forced to log in with Facebook after opening some of the apps.

Pie chart labeled “categories of malicious apps.” Photo editor is 42.6 percent, business utility is 15.4 percent, phone utility is 14.1 percent, game is 11.7 percent, VPN is 11.7 percent, and lifestyle is 4.4 percent.
Meta’s breakdown of what apps pretended to be in order to steal people’s info.
Image: Meta

It's not a great look that the apps were on the stores in the first place. For years, Apple has argued against side loading apps for the iPhone, saying that the ability to install apps not in the App Store is a cybercriminal's best friend. It says its App Review process has helped it build a trust for millions of applications. Some scam apps on the platform rake in millions of dollars, despite the company's struggles to reign in them.

Out of the 402 malicious apps on Facebook, 355 were for the Play Store, and 47 were for the iPad. Every single one of the apps on the phone was related to managing business pages or ads. It's hard to understand how "very business manager" got past Apple's app review process.

There was no response from Apple or Google immediately.

When it comes to apps that attempt to steal your login info, Meta's post details some good warning signs to look out for.