An Android Trojan has been discovered to compromise over 10,000 Facebook accounts in at least 144 countries since March 2021. This was done through the distribution of fraudulent apps through Google Play Store and other third-party app marketplaces.
This new Trojan, known as “FlyTrap”, previously undocumented, is now believed to be associated with a family of Trojans that utilize social engineering tricks to breach accounts in Facebook as a part of a hijacking session campaign which was orchestrated by cybercriminals operating out of Vietnam, according to reports published by Zimperium’s zLabs.
Trojan Applications
The nine offensive applications have been removed from Google Play Store but they are still available in third-party app stores which increases the risk of sideloading applications to mobile endpoints and user data. The list of applications are:
- GG Voucher (com.luxcarad.cardid)
- GG Voucher Ads (com.m_application.app_moi_6)
- Vote European Football (com.gardenguides.plantingfree)
- GG Coupon Ads (com.free_coupon.gg_free_coupon)
- Chatfuel (com.ynsuper.chatfuel)
- GG Voucher (com.free.voucher)
- Net Coupon (com.movie.net_coupon)
- Net Coupon (com.free_coupon.net_coupon)
- EURO 2021 Official (com.euro2021)
The malicious apps offer Netflix and Google AdWords coupons and let users vote for their favorite players and teams in the EURO 2021, which took place from 11 June to 11 July 2021. The conditions for casting votes were to log in using their Facebook accounts.
How Does It Work?
Once signed in, the malware is designed to pilfer the person’s Facebook ID, email address, location, IP address, and tokens and cookies associated with the Facebook account. Hence enabling the attacker to perform disinformation campaigns using the target’s geolocation details. Further propagation of the malware via the personal messages containing links to the Trojan is also possible.
The malware has the ability for JavaScript code injection. It opens the legit URL inside a WebView, injects the code, and extracts all the target information like cookies, IP address, email, etc.
What Is The Data Used For?
The exfiltrated data that is being hosted on a C2 infrastructure, the exploitation of the security flaws found in the C2 server can expose the entirety of the database of stolen cookies to anyone with access to the internet. This puts the victims at an even greater risk. The accounts stolen from 144 countries can be used for a number of purposes. From something harmless as boosting the popularity of a page to spreading political propaganda.