Pierluigi Paganini August 10, 2021

Experts spotted a new Android trojan, dubbed FlyTrap, that compromised Facebook accounts of over 10,000 users in at least 144 countries since March 2021.

Zimperium’s zLabs researchers spotted a new Android trojan, dubbed FlyTrap, that already compromised Facebook accounts of over 10,000 users in at least 144 countries since March 2021. The malware was spreading via fraudulent apps distributed through Google Play Store and also other third-party app marketplaces.

“Forensic evidence of this active Android Trojan attack, which we have named FlyTrap, points to malicious parties out of Vietnam running this session hijacking campaign since March 2021. These malicious applications were initially distributed through both Google Play and third-party application stores.” reported Zimperium. “Zimperium zLabs reported the findings to Google, who verified the provided research and removed the malicious applications from the Google Play store.”

Experts believe that FlyTrap belongs to a family of trojans that employ social engineering tricks to compromise Facebook accounts as part of a session hijacking campaign.

The threat actors behind the attack are likely operating out of Vietnam.

The experts found a total of nine malicious applications on Google Play that were quickly removed, but they are still available in third-party app stores. The list of malicious apps includes:

• GG Voucher (com.luxcarad.cardid)
• Vote European Football (com.gardenguides.plantingfree)
• GG Coupon Ads (com.free_coupon.gg_free_coupon)
• GG Voucher Ads (com.m_application.app_moi_6)
• GG Voucher (com.free.voucher)
• Chatfuel (com.ynsuper.chatfuel)
• Net Coupon (com.free_coupon.net_coupon)
• Net Coupon (com.movie.net_coupon)
• EURO 2021 Official (com.euro2021)

The threat actors used several themes as bait such as free Netflix and Google AdWords coupon codes, and voting for the best soccer team or player. The apps are designed to trick users into downloading and trusting the application. Upon installing the malicious application, it displays pages that engage the user and asks for a response from them, such as the ones shown below.

When the users sign into their account, the malware collects their victim’s data, including Facebook ID, location, email address, IP address, and the cookies and tokens associated with the Facebook account.

This info allows threat actors to hijack the victim’s Facebook accounts and use them to distribute malware to its contacts and carry out disinformation campaigns using the victim’s geolocation details.

The Trojan exploits a technique known as JavaScript injection to hijack sessions even by logging into the original and legit domain.

“Using this technique, the application opens the legit URL inside a WebView configured with the ability to inject JavaScript code and extracts all the necessary information such as cookies, user account details, location, and IP address by injecting malicious JS code.” continues the analysis.

The experts found a flaw in the authentication process to the C2 server that allowed them to access the harvested session cookies.

“Malicious threat actors are leveraging common user misconceptions that logging into the right domain is always secure irrespective of the application used to log in,” concludes Zimperium. “The targeted domains are popular social media platforms and this campaign has been exceptionally effective in harvesting social media session data of users from 144 countries. These accounts can be used as a botnet for different purposes: from boosting the popularity of pages/sites/products to spreading misinformation or political propaganda.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, FlyTrap Trojan)

[adrotate banner=”5″]

[adrotate banner=”13″]