A malicious “color change” app has shouwed on social networking giant Facebook, and it’s already infected thousands of users.
The app, dubbed Facebook Color Changer, claims to let you change the color of your Facebook profile—but it’s actually a scam, according to Chinese Internet company Cheetah Mobile.
The link appears to take you to the URL apps.facebook.com/themsandcolors, but actually reroutes you to a malicious phishing site.
From estimates, the scam is predicted to have already impacted more than 10,000 people in multiple countries.
“Cheetah Mobile researchers have found this issue to be happening due to a vulnerability that lives in Facebook’s app page itself, allowing hackers to implant viruses and malicious code into Facebook-based applications [which] directs users to phishing sites,” the company wrote in a blog post.
The phishing site has two ways of exploiting users. First, it asks you to watch a so-called color changer tutorial video. If you watch the video, it steals your Facebook access tokens, which gives the hackers temporary access to your Facebook friends, Cheetah Mobile said.
If you don’t view the video, it tries to get you to download a malicious application to spread the malware to other people.
“If a user is on a PC, the site leads them to download a pornography video player,” Cheetah Mobile explained. “If the user is on an Android device, it issues a warning saying the device has been infected and advises users to “download now” a suggested app.”
If you have fallen vidtim to this malware, don’t freak out. There are steps you can take to protect yourself.
If you watched the tutorial video, you should immediately change your Facebook password and remove the color changer app from your profile via the Facebook app settings menu. To get there, click the apps tab from the settings page, find Facebook color changer under the section “Apps you use,” and delete it.