A new Android trojan has been discovered to breach the Facebook accounts of over 10,000 people in at least 144 countries since March 2021 through Google Play Store and other third-party application marketplaces.
According to a report published by Zimperium's zLabs and shared with The Hacker News, the malware, termed "FlyTrap," is presumed to be a component of a family of trojans that use social engineering techniques to compromise Facebook accounts as part of a session hijacking campaign planned and executed by malicious actors operating out of Vietnam.
Aazim Yaswant, a Zimperium malware researcher, noted that although the nine infringing apps have been removed from Google Play or, they are still available in third-party app stores, emphasizing the danger of sideloaded applications to mobile endpoints and user data. The following is a list of available apps:
1. GG Voucher (com.luxcarad.cardid)
2. Vote European Football (com.gardenguides.plantingfree)
3. GG Coupon Ads (com.free_coupon.gg_free_coupon)
4. GG Voucher Ads (com.m_application.app_moi_6)
5. GG Voucher (com.free.voucher)
6. Chatfuel (com.ynsuper.chatfuel)
7. Net Coupon (com.free_coupon.net_coupon)
8. Net Coupon (com.movie.net_coupon)
9. EURO 2021 Official (com.euro2021)
The fraudulent applications claim to provide Netflix and Google AdWords coupon codes, as well as the option to vote for their favorite teams and players at UEFA EURO 2020, which took place between June 11 and July 11, 2021, but only if users log in with their Facebook accounts to vote or obtain the coupon code or credits.
Once a user logs in, the malicious software can extract the victim's Facebook ID, location, email address, IP address, as well as the cookies and tokens linked with the profile, allowing the attacker to implement disinformation campaigns using the victim's geolocation details or spread the malware further via social engineering tactics such as sending personal messages including links to the trojan.
This is accomplished by using a technique called JavaScript injection in which the application loads the legitimate URL inside a WebView equipped with the capability to inject JavaScript code and collects all the required information such as cookies, user account credentials, location, and IP address by inserting malicious [JavaScript] code, Yaswant stated.
While the stolen data is hosted on a command-and-control (C2) server, security vulnerabilities in the C2 server may be leveraged to leak the whole database of stolen session cookies to anybody on the internet, as a result placing the victims at high risk.
"Malicious threat actors are leveraging common user misconceptions that logging into the right domain is always secure irrespective of the application used to log in," Yaswant further told. "The targeted domains are popular social media platforms and this campaign has been exceptionally effective in harvesting social media session data of users from 144 countries. These accounts can be used as a botnet for different purposes: from boosting the popularity of pages/sites/products to spreading misinformation or political propaganda."
On Monday, Zimperium's head of product marketing for endpoint security, Richard Melick, informed Threatpost that Android users can reduce the risk of infection instantly by ensuring that they don't allow any software from an unauthorized source to be loaded.
While most Android smartphones have the option turned off by default, social-engineering tactics are “highly effective in tricking users into allowing it,” he stated in an email. To turn off unknown sources on Android, go to settings, security, and make sure the “unknown sources” option is turned off.
Users should also set up multi-factor authentication (MFA) for all social media accounts, in general, be suspicious about grabby apps, Melick advised.