New Android Trojan hijacks Facebook accounts
A previously unseen Android Trojan dubbed FlyTrap has targeted at least 140 countries since March this year, spreading to more than 10 000 victims via social media hijacking, third-party app stores, and sideloaded applications.
This was revealed by Zimperium’s zLabs mobile threat research teams, who recently found several previously undetected applications using the company’s z9 malware engine and on-device detection.
After a forensic investigation, the researchers ascertained that FlyTrap is part of a family of Trojans that use social engineering to compromise Facebook accounts. They also believe that bad actors out of Vietnam are running the campaign.
Initially, these Trojans were distributed through both Google Play and third-party application stores. Zimperium zLabs reported the findings to Google, who verified the provided research and removed the malware from the Google Play store.
Unfortunately, they are still available on third-party, unsecured app repositories, highlighting the risk of sideloaded applications to mobile endpoints and user data. Sideloading is the process of downloading and installing apps onto a mobile device from an unofficial source.
FlyTrap poses a threat to the victim’s social identity by hijacking their Facebook accounts via the Trojan that infects their Android device. The information collected from the victim’s Android device includes Facebook ID, location, e-mail, IP address, and cookies and tokens associated with the accounts in question.
Hijacked Facebook sessions can be used to spread the malware by abusing the target’s social credibility through personal messaging containing links to the Trojan, as well as propagating propaganda or disinformation campaigns using the victim’s geolocation details.
According to the researchers, these social engineering techniques are very effective in today’s digital world and are often employed by attackers to spread malware.
The malefactors employed a variety of themes they believed users would find appealing such as free Netflix coupon codes, Google AdWords coupon codes, and voting for the best football (soccer) team or player.
At first available through Google Play and third-party stores, the application fooled users into downloading and trusting the application using high-quality designs and social engineering.
Following installation, FlyTrap displays pages that engage the user and elicit a response from them. “The engagement continues until the user is shown the Facebook login page and asks to log in to their account to cast their vote or collect the coupon code or credits,” the researchers say.
However, this is all yet another trick to mislead the user since no voting or coupon code is generated. Instead, the final screen attempts to justify the fake code by displaying a message claiming the “Coupon expired after redemption and before spending.”
The researchers say that although the popular belief is that a phishing page is always at the vanguard of compromising or hijacking an account, there are other ways to hijack sessions, such as by logging into the original and legitimate domain.
This Trojan exploits one such technique known as JavaScript injection. “Using this technique, the application opens the legit URL inside a WebView configured with the ability to inject JavaScript code and extracts all the necessary information such as cookies, user account details, location, and IP address by injecting malicious JS code.”
Exploiting misconceptions
Bad actors often leverage common user misconceptions that logging into the correct domain is always secure regardless of the application being used to log in. “The targeted domains are popular social media platforms and this campaign has been exceptionally effective in harvesting social media session data of users from 144 countries.”
In addition, these accounts can be employed as a botnet for a variety of purposes, including boosting the popularity of pages, sites or products, to spreading misinformation or political propaganda.
Much like any user manipulation, the high-quality graphics and official-looking login screens are popular schemes to trick users into taking action that could reveal sensitive information.
Ongoing threats against mobile devices
According to the researchers, FlyTrap is simply another example of the ongoing, active threats against mobile devices that aim to steal credentials.
“Mobile endpoints are often treasure troves of unprotected login information to social media accounts, banking applications, enterprise tools, and more. The tools and techniques used by FlyTrap are not novel but are effective due to the lack of advanced mobile endpoint security on these devices.”
The company advises to be vigilant for any red flags which might indicate a phone has been hacked or infected with mobile malware, including a battery that runs out too quickly, relentless pop-ups, or strange applications that the user hasn’t downloaded.
In addition, any degradation of performance, or airtime and other cellular charges that make no sense are something to be wary of.
Zimperium’s zLabs advises users to protect themselves and their devices by only downloading apps or updating apps via official app stores, and never clicking on a WhatsApp or SMS link that attempts to trick the user into updating an app, downloading an app or installing anything.
The company also advises to be aware of mobile phishing, and links to sites that are trying to steal personal information, such as username and passwords. Also, it says to never root or jailbreak a device as this negates the built-in security, and advises to install a good anti-malware app.
Finally, be selective about what is downloaded. Anyone who suspects their device is infected should attempt to remove the suspicious app. They could attempt to go back in time and restore the device as a new device from a previous backup or if it’s still persistent they may need to do a full reset.