A new Android Trojan was discovered to have compromised over 10,000 Facebook accounts in at least 144 countries.
FlyTrap is a new type of malware that’s believed to be used by a family of trojans to infect Facebook accounts.
Zimperium’s zLabs researchers stated that the campaign was orchestrated by individuals operating in Vietnam.
Although the apps that were found to be dangerous have been removed from Google Play, they are still available in third-party app stores, according to Aazim Yaswant of Zimperium, and could still expose sensitive information of Facebook users.
The malicious apps are:
- GG Voucher (com.luxcarad.cardid)
- Vote European Football (com.gardenguides.plantingfree)
- GG Coupon Ads (com.free_coupon.gg_free_coupon)
- GG Voucher Ads (com.m_application.app_moi_6)
- GG Voucher (com.free.voucher)
- Chatfuel (com.ynsuper.chatfuel)
- Net Coupon (com.free_coupon.net_coupon)
- Net Coupon (com.movie.net_coupon)
- EURO 2021 Official (com.euro2021)
The apps also claim to offer users Google AdWords and Netflix coupon codes or vote for their favorite team or players at the UEFA EURO 2020. They ask users to register with their Facebook accounts to do this.
Once a user signs in to their Facebook account, the malware will steal their personal information, such as Facebook ID, location, email address, IP address, cookies, and tokens.
This method allowed the threat actor to create and distribute disinformation campaigns that use the victim’s geolocation details. It also propagated the infection through social engineering techniques via private messages.
The attackers used a technique known as JavaScript injection to open a legitimate website, which then collects sensitive information from the user, such as their IP address and cookies.
“The application opens the legit URL inside a WebView configured with the ability to inject JavaScript code and extracts all the necessary information such as cookies, user account details, location, and IP address by injecting malicious [JavaScript] code,” Yaswant explained.
While the stolen user data is stored on attackers’ C2 infrastructure, it could be exploited to expose the whole database of the stolen session cookies. This issue could expose the sensitive information of the victims to anyone on the internet.
“Malicious threat actors are leveraging common user misconceptions that logging into the right domain is always secure irrespective of the application used to log in,” Yashwant said. “The targeted domains are popular social media platforms and this campaign has been exceptionally effective in harvesting social media session data of users from 144 countries. These accounts can be used as a botnet for different purposes: from boosting the popularity of pages/sites/products to spreading misinformation or political propaganda.”
