Android Trojan compromises Facebook Accounts

by Sam August 10, 2021

A new Android Trojan identified as the FlyTrap has been found to compromise around 10,000 users’ Facebook accounts in 144 countries since March this year. This practice was carried through apps from Google Play Store and other application distribution services.

Zimperium’s zLabs states that FlyTrap seems to be associated with the Trojan umbrella, which makes use of social engineering tricks to breach Facebook accounts as part of a session hijacking campaign composed by threat actors operating out of Vietnam.

The security specialist found 9 apps on Google Play that were malicious, and so they were removed immediately. These are still available on other app stores, and hence the threat persists. Aazim Yaswant, the malware researcher at Zimperium, also claimed that this practice points out the risk sideloaded applications pose on mobile endpoints and user data. These apps include:

GG Voucher (com.luxcarad.cardid)
Vote European Football (com.gardenguides.plantingfree)
GG Coupon Ads (com.free_coupon.gg_free_coupon)
GG Voucher Ads (com.m_application.app_moi_6)
GG Voucher (com.free.voucher)
Chatfuel (com.ynsuper.chatfuel)
Net Coupon (com.free_coupon.net_coupon)
Net Coupon (com.movie.net_coupon)
EURO 2021 Official (com.euro2021)

To attack the users, the threat actors used tactics such as tagging free Netflix and Google AdWords coupon codes with voting for the best soccer team or player by logging into their Facebook accounts. The purpose of the apps was to make the user download and trust the application. Once installed, the app displays pages that keep the users hooked by asking them responses for certain things.

As soon as the users log into their accounts, the malware takes action through a technique called JavaScript injection and collects the data, which includes their ID, location, email ID, IP address, and cookies linked to the account. This immediately allows the attacker to hijack the Facebook accounts and thus initiates a chain of malware distribution. Also, the attackers carry out a campaign of disinformation through the affected users’ geolocation information. The experts also highlighted that this issue arises from a flaw in the authentication process to the C2 server, allowing the attacker to access the harvested session cookies.

Zimperium also pointed out that users believe that logging into the right domain is secure, no matter whichever application is used. And this misconception is exploited by the threat actors where in this case, users from 144 countries were impacted. According to them, these accounts can be a roadway to further abuses like heightening the popularity of pages, spreading misinformation, or promoting any political agenda.