Facebook parent company Meta has filed a lawsuit against several Chinese developers accusing them of creating knock-off WhatsApp Android apps that were used to hijack over a million user accounts. The company also revealed it had identified some 400 apps dedicated to stealing Facebook login credentials and reported them to Apple and Google.
On Tuesday, the tech giant filed suit in a U.S. District Court in San Francisco against Rocky Tech, Luokai Technology, and ChitChat Technology — three separate companies based in Hong Kong, Beijing, and Taipei City, respectively. The suit accuses the defendants of facilitating a scheme to take over more than one million WhatsApp accounts using trojanized apps that were advertised as “modified” versions of WhatsApp. These apps, which were promoted as “legitimate alternatives” to the encrypted messaging service, were actually loaded with malware. Unbeknownst to the hapless users who downloaded them, they would pilfer personal device information, allowing for account takeovers, according to Meta’s lawsuit.
Why anyone would want a sketchy “modified” version of an app that is already free and easy to download is beyond me but, hey, it is what it is! Presumably the victims already had WhatsApp user accounts but weren’t satisfied with the customisation options of the real apps? The knock-off apps versions are said to have offered to the ability to change the “look and feel” of WhatsApp accounts and claimed to offer theme and colour variations.
“After victims installed the Malicious Applications, they were prompted to enter their WhatsApp user credentials and authenticate their WhatsApp access on the Malicious Applications,” the suit claims, explaining that the defendants would then facilitate the “misappropriation of users’ WhatsApp account keys, which include authentication information from the victim’s device and used them to access the victim’s WhatsApp account without authorization.”
Unfortunately, this seems to have happened quite a lot. The suit claims that the scheme managed to trick “over one million WhatsApp users into self-compromising their accounts.” Once accounts were compromised, the bad actors would frequently use their access to send commercial spam messages.
In an attempt to stop these takeovers, Meta says it previously sent cease and desist letters to the bad actors, disabled Facebook accounts linked to the scheme and also reported the malicious apps to the Google Play store and other third-party platforms to get them taken down. Bleeping Computer reports that, since July, Android’s Google Play Protect has been updated to detect and disable previously downloaded versions of the phony apps.
These aren’t Meta’s only account-takeover woes, apparently. On Friday, Meta’s security team published a report revealing that the company had recently uncovered some 400 different mobile apps devoted to stealing Facebook user login information. These trojans — 355 for Android and 47 for iOS — snuck their way onto the Google Play and Apple App Store, where they were listed as a variety of innocuous sounding programs like photo editors, gaming, and VPN services. In reality, the apps pilfered users accounts credentials and allowed for account hijacking. The apps have since been taken down, Meta says.
“Malicious developers create malware apps disguised as apps with fun or useful functionality — like cartoon image editors or music players — and publish them on mobile app stores,” the report says.