According to a blog post by their security team, these apps come in the form of "fun" apps, such as music players or cartoon editors, in order to trick unsuspecting users into downloading them. Once downloaded, the user would be prompted to "login with Facebook", which has become a common occurrence among trusted apps.
However, the forms the user would enter their credentials into are, of course, fake. Once the information is entered, it is saved to a database controlled by a threat actor.
The next step for the threat actors would be to log in and impersonate the victim to social engineer their friends and connections to steal their information.
According to Meta, other types of fraudulent apps included "mobile games falsely promising high-quality 3D graphics," "health and lifestyle apps such as horoscopes and fitness trackers" as well as "VPNs claiming to boost browsing speed or grant access to blocked content or websites."
Meta wants users to stay safe by questioning the apps themselves. If the app is not usable without logging into Facebook, the Meta Security team warns that it is likely a fake. In addition, they want all users to check app reviews, download counts, and ratings to see if there is already a negative response to the app.
If you have accidentally entered your information into one of these apps, Meta asks that you reset your password and enable two-factor authentication.