Facebook parent company Meta has filed a lawsuit against several Chinese app developers, accusing them of creating malicious knock-off versions of WhatsApp that were used to hijack over a million user accounts.
On Tuesday, the tech giant filed suit in a U.S. District Court in San Francisco against Rocky Tech, Luokai Technology, and ChitChat Technology—three separate companies based in Hong Kong, Beijing, and Taipei City, respectively. The suit accuses the defendants of facilitating a scheme to take over more than one million WhatsApp accounts using trojanized Android apps that were advertised as “modified” versions of WhatsApp. These apps, which were promoted as “legitimate alternatives” to the encrypted messaging service, were actually loaded with malware and, unbeknownst to the hapless users who downloaded them, would pilfer personal device information—thus allowing for account takeovers.
Why anyone would want a sketchy “modified” version of an app that is already free and easy to download is beyond me but, hey, it is what it is! Presumably the victims already had WhatsApp user accounts but weren’t satisfied with the customization options? The knock-offs are said to have offered the ability to change the “look and feel” of WhatsApp accounts and claimed to offer theme and color variations.
“After victims installed the Malicious Applications, they were prompted to enter their WhatsApp user credentials and authenticate their WhatsApp access on the Malicious Applications,” the suit claims, explaining that the defendants would then facilitate the “misappropriation of users’ WhatsApp account keys, which include authentication information from the victim’s device and used them to access the victim’s WhatsApp account without authorization.”
Unfortunately, this seems to have happened quite a lot. The suit claims that the scheme managed to trick “over one million WhatsApp users into self-compromising their accounts.” Once accounts were compromised, the bad actors would frequently use their access to launch commercial spam campaigns.
In an attempt to put a stop to all this, Meta says it previously sent cease and desist letters to the bad actors, disabled Facebook accounts linked to the scheme and also reported the malicious apps to the Google Play store and other third-party platforms to get them taken down. Bleeping Computer reports that, since July, Android’s Google Play Protect has been updated to detect and disable previously downloaded versions of the phony apps.
These aren’t Meta’s only account-takeover woes, however. On Friday, Meta’s security team published a report revealing that the company had recently uncovered some 400 different mobile apps devoted to stealing Facebook user login information. These trojans—355 for Android and 47 for iOS—snuck their way onto the Google Play and Apple App Store, where they were listed as a variety of innocuous sounding programs like photo editors, gaming, and VPN services. In reality, the apps pilfered users accounts credentials and allowed for account hijacking. The apps have since been taken down, Meta says.
In short: if you don’t want someone stealing your Facebook account, please be careful what you download. If it’s a weird free app that promises you things that sound too good to be true, might be best to do a background check before hitting download.