Tens of Thousands of Malicious Apps Using Facebook APIs

The apps are deemed malicious by doing things such as capturing pictures and audio when the app is closed, or making an unusually large amount of network calls.

At least 25,936 malicious apps are currently using one of Facebook’s APIs, such as a login API or messaging API. These allow apps to access a range of information from Facebook profiles, like name, location and email address.

Trustlook discovered the malicious apps using a formula, which created a risk score for apps based on more than 80 pieces of information for each app, including permissions, libraries, risky API calls and network activity.

“The Cambridge Analytica data-harvesting scandal was mainly a result of developers abusing the permissions associated with the Facebook Login feature,” Trustlook researchers said, in a post. “When people use Facebook Login, they grant the app’s developer a range of information from their Facebook profile. Back in 2015, Facebook also allowed developers to collect some information from the friend networks of people who used Facebook Login. That means that while a single user may have agreed to hand over their data, developers could also access some data about their friends. Needless to say, this realization among Facebook users has caused a huge backlash.”

Not that the 25,936 apps are all doing the same thing that led to the Cambridge Analytica issue. A malicious app (with a risk score above 7) “might be doing things such as capturing pictures and audio when the app is closed, or making an unusually large amount of network calls,” a spokesperson told Threatpost.

To be fair, Facebook is not the only company with its APIs embedded in malicious applications. Twitter (which was just found to have sold data to a Cambridge Analytica-linked company), LinkedIn, Google, and Yahoo offer similar options to developers, and thus their user data faces similar exposure, researchers pointed out.

“The problem, for the most part, is that this is data that is provided when their login is used elsewhere. The API is simply passing through intelligence it has gathered from their profile,” said Chris Roberts, chief security architect at Acalvio, via email. “LinkedIn, Google and Twitter, among others, have similarly flawed APIs that can be used to harvest information both about you (the target) and possibly associated individuals…depending upon queries and other developer privileges that are being exploited.”

David Ginsburg, vice president of marketing at cybersecurity risk posture and compliance specialist Cavirin, noted that the other issue lies in the internecine, convoluted privacy statements and policies offered to consumers.

“Even if one is selective on adding third-party apps, [understanding] the privacy and data policies require a Harvard MBA,” he said via email. “Using the new Instagram (a Facebook property) policies (as of April 19) as an example, the Terms of Use run to more than 3,000 words and is judged as ‘difficult to read.’ The data policy runs to over 4,000 words.”

He added, “We almost need a national zero-out settings day where everything, everywhere is set to opt-out, and from that point on, individuals must re-opt to third parties. Yes, an inconvenience, but in light of abuses, required. At my employer, we do a lot with GDPR [the European data protection regulation set to go into effect in May], and there is a growing consensus that we need an equivalent in the U.S.”

Speaking of regulation, the drumbeat on that continues to grow. A full 70 percent of respondents in a survey of 512 security pros at the RSA Conference 2018 said governments should regulate the collection of personal data by social media companies to protect user privacy.

However, not everyone believes regulation is the answer, given that 72 percent of respondents in the survey believe government officials lack a good understanding of the threats impacting digital privacy; meanwhile, 74 percent said government officials do not have a good understanding of the current cyber-threat landscape in general.

“These results are disturbing,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, which conducted the poll. “While security professionals agree that government officials do not understand the nuances of social media and digital privacy, they’re still looking to them to regulate the technology that permeates our daily lives.”

Regardless, it’s clear that social networks of all stripes should change up their approaches.

“It’s our position that just as Coke does not want its ads running on certain websites, Facebook should not want malicious app developers using its APIs,” the Trustlook spokesperson told us.

Suggested articles