Facebook is suing a pair of Ukrainian men for allegedly using quiz and test apps to gain access to private user data and friends lists, according to a federal lawsuit filed by the social network on Friday.

The defendants, Gleb Sluchevsky and Andrey Gorbachov, are accused of using fake apps to trick users into install malicious browser extensions. These extensions are said to have been used to ‘scrape’ user information and place ads on social media sites, including Facebook, when the user visited through the browser that had become home to the malicious extension.

Secret identity
Sluchevsky and Gorbachov are alleged to have used aliases to operate at least four apps – including ‘Supertest’, ‘FQuiz’, ‘Megatest’, and ‘Pechenka’ – and are both affiliated with a company called the Web Sun Group, which offered web development and other technical consulting services. The apps predominantly targeted Russian and Ukrainian users and compromised around 63,000 browsers used by Facebook users, causing $75,000 in damages to Facebook, between 2016 and 2018.

“Defendants’ fraudulent applications falsely represented, to anyone using the Facebook Login feature, that the user was only granting the applications access to a limited amount of public Facebook profile information,” reads the lawsuit. “In fact, Defendants knew that the applications were designed to scrape the app users’ public profiles on Facebook and other social networking sites, and to prompt users to install malicious extensions for the purpose of manipulating the users’ browsers and collect the users’ private and non-publicly viewable lists of friends when the app user visited the Facebook site.

“After users logged into the fraudulent applications, Defendants caused the applications to falsely represent to users: (a) that the malicious extensions were legitimate, and (b) necessary in order for the applications’ notifications to operate.”

Despite there being some similarities between this case and the well-known Cambridge Analytica scandal, the difference lies in the fact that users unknowingly compromised their own browsers with this case. On the other hand, Cambridge Analytica were given access to user data through Facebook’s own policies at the time.