Facebook Trojan Brazen but Benign

By  |  Monday, December 21, 2009 at 9:01 pm

This past weekend, a trojan mimicked Facebook’s native functionality and sent notifications on the user’s behalf. While Facebook says that the application was harmless, its ability to break through a boundary of trust on the platform alarmed me.

The trojan came to my attention on Saturday after I received several Facebook notifications (in the form of a red number in the bottom right of the page) telling me that friends had commented on my photos. It was the same notification that I receive on a day-to-day basis.

When I clicked on the notification, it attempted to load an application called “Phutos,” which wanted access to my personal information and social network. I declined. A few minutes later, another notification appeared, but I was not taken to the application screen after I clicked on it. That seemed fishy, so I decided to review my applications.

“Phutos” was under my list of recently used applications–even though I never authorized its installation. At that point, I uninstalled the application and notified Facebook of my findings. Obviously, I also had some questions for it.

Facebook spokesperson Simon Axton stayed in steady contact with me over the weekend, and informed me today that the company had disabled the application because it violated Facebook’s Developer Principles and Policies. Facebook had determined that the application did not contain any malware, and has a dedicated enforcement team that investigates reports about suspicious applications, he told me.

When I asked what else Facebook does to protect its users, Axton said “We rely on reports from users for suspicious applications. Our team also conducts spot reviews of top applications and of many other applications, including looking at the data they need to run the application versus the data they gather. When we find a violation, we take action to enforce our policies.”

It’s great that Facebook says it’s taking its users’ safety seriously, but I am taken back by how easily a third-party application could mimic Facebook’s default Web applications. Users can now specify what information applications may access, but everyone users Facebook differently, so there is a bounty of information for malware to exploit.

There should be a wall between the Facebook development platform and the applications that make up the site itself.


Read more: , , ,

2 Comments For This Post

  1. Bouke Timbermont Says:

    I agree, because I had the very same thing a few days ago, but with an app named “Photos” (Just like the regular app!), telling em I was tagged in a picture! As soon as I clicked on the notification, I got another notification telling me I sent a similar message to ALL MY FRIENDS (telling them I tagged them in a picture…) I immediately blocked the app, and of course reversed the notification (you can do this with notifications sent by apps until a few seconds after it is sent)

  2. Brian Mac Dougall Says:

    I thought that my friend had posted pictured of a 4-wheel roll-over that he said he would post. When I opened it, it showed a link to take me to the pics. It woudn’t open. Within the next week a personal message started being sent to the friends on my list saying ” Is this your photo?” I have warned my people on the news feed not to open these messages. I deactivated the account associated with e-mail address. I opened another account on a g-mail account, I filled in most all of the information for my profile and requested some of my friends from my first account to be my friends and went to bed. When I logged in the next morning, face said I needed my confirmation number. I went back to my email and found a facebook conformation email. I opened it and it gave me a link and it took me to the opening a facebook account and I filled in the answers to the same question which unknowing to me opened a third account. I need help and can’t really find anywhere to explain whats going on . What do I do?