BATON ROUGE, La. (BRPROUD) – Security researchers at Meta, the parent company of Facebook, revealed Friday that they found more than 400 malicious iOS and Android apps this year that were designed to steal personal Facebook login information.

Up to one million users are expected to have been affected, according to a company blog post. Meta said the apps identified were listed in Apple’s app store and Google Play Store as games, photo editors, health and lifestyle services, and other apps to trick people into downloading them. Often, the app would ask users to “login with Facebook,” and later steal their username and password, according to the company. 

“This is a highly adversarial space and while our industry peers work to detect and remove malicious software, some of these apps evade detection and make it onto legitimate app stores,” said Meta Director of Threat Disruption, David Agranovich.

Meta said it reported the apps to Apple and Google, which have since been taken down. Meta did not specifically disclose which 400 apps they were referring to, but did provide examples including:

  • Photo editors, including those that claim to allow you to “turn yourself into a cartoon”
  • VPNs claiming to boost browsing speed or grant access to blocked content or websites
  • Phone utilities such as flashlight apps that claim to brighten your phone’s flashlight 
  • Mobile games that falsely promise high-quality 3D graphics
  • Health and lifestyle apps such as horoscopes and fitness trackers
  • Business or ad management apps that claim to provide hidden or unauthorized features not found in official apps by tech platforms.