Scammers recently used their own third-party Android applications (apps) to hijack over 10,000 Facebook accounts. If you were to download and open one of these malicious apps, you’d see a familiar feature: the “Continue with Facebook” button. Legitimate apps often integrate with websites like Facebook to make account creation quick and easy. In malicious apps, this type of link often leads to a phony login page designed to steal your login credentials.

This scam is unique because clicking the “Continue with Facebook” button actually opens the official Facebook login page. If you log in to your Facebook account, you’ll give the bad guys far more than your username and password. The malicious apps include an extra bit of code that gathers your account details, location, IP address, and more. Once they hijack your account, the bad guys can use it to generate ad revenue, spread disinformation, or even scam your friends and family.

Follow these tips to stay safe from malicious applications:

Though this attack targets Android users, the technique could be used on any kind of device, even desktop computers. Always be careful when downloading apps or software, regardless of the device that you are using.
Before downloading an app, read the reviews and ratings. Look for critical reviews with three stars or less, as these reviews are more likely to be real.
Only download apps from trusted publishers. Remember, anyone can publish an app on official app stores, including cybercriminals.