Since March 2021, Zimperium’s zLabs researchers have discovered a new Android trojan known as FlyTrap that has compromised the Facebook accounts of over 10,000 people in at least 144 countries.
The malware was deployed using fake apps available on the Google Play Store and other third-party app stores.
“Forensic evidence of this active Android Trojan attack, which we have named FlyTrap, points to malicious parties out of Vietnam running this session hijacking campaign since March 2021. These malicious applications were initially distributed through both Google Play and third-party application stores.” reported Zimperium. “Zimperium zLabs reported the findings to Google, who verified the provided research and removed the malicious applications from the Google Play store.”
FlyTrap is thought to be part of a family of trojans that use social engineering techniques to breach Facebook accounts as part of a session hijacking operation, according to experts.
Threat actors behind the attack are most likely based in Vietnam.
Experts discovered nine malicious apps on Google Play, which were promptly removed, but are still available in third-party app stores. The following are a list of harmful apps:
- GG Voucher (com.luxcarad.cardid)
- Vote European Football (com.gardenguides.plantingfree)
- GG Coupon Ads (com.free_coupon.gg_free_coupon)
- GG Voucher Ads (com.m_application.app_moi_6)
- GG Voucher (com.free.voucher)
- Chatfuel (com.ynsuper.chatfuel)
- Net Coupon (com.free_coupon.net_coupon)
- Net Coupon (com.movie.net_coupon)
- EURO 2021 Official (com.euro2021)
Free Netflix and Google AdWords coupon offers, as well as voting for the best soccer team or player, were used as bait by the threat actors.
The apps are intended to lure users into downloading and trusting them. When the malicious application is installed, it presents pages that interest the user and ask for a response, such as the ones below.
When users access into their Facebook accounts, the malware collects information about their victims, such as their Facebook ID, location, email address, IP address, and the cookies and tokens associated with the account.
Threat actors can use this information to take over the victim’s Facebook accounts and use them to spread malware to the victim’s contacts and execute disinformation campaigns using the victim’s geolocation information.
The experts discovered a vulnerability in the C2 server’s authentication process that allowed them to access the captured session cookies.
You might also like: