Photo Depicting People Using Their Smartphones
© View Apart/

Malicious Android apps masquerading as educational tools have stolen the Facebook credentials of hundreds of thousands of people over the last few years, U.S. mobile security firm Zimperium said Thursday.

Hacker-Controlled Trojans Disguised as Educational Apps

The “Schoolyard Bully” campaign — a batch of Trojan viruses disguised as educational apps offering content like books and topics for students — has infected over 300,000 victims and was specifically designed to swipe Facebook credentials, Zimperium’s zLabs unit said Thursday. Though the targets of the campaign were largely located in Vietnam, victims were also spread out across 71 different countries.

Active since 2018, the trojan campaign is designed to steal and upload credentials to threat actor-controlled servers. Having since been removed from Google’s Play Store — the world’s largest store at over 3.5 million downloadable apps — Schoolyard Bully continues to be available and poses a risk to students through third-party app stores, Zimperium said.

“Nearly 64% of individuals use the same password that was exposed in a previous breach,” researchers said. “With the percentage of users recycling passwords, it is no surprise the Schoolyard Bully Trojan has been active for years.” As such, the Trojan is particularly effective at swiping financial accounts.

JavaScript Injection Via Legitimate Facebook Sign-In

The Schoolyard Bully hoovers data like Facebook profile names and IDs, emails and phone numbers, and user passwords. It also takes users’ device names and device hardware and software information. By using “native libraries,” the virus can evade some antivirus threat scans.

Researchers say Schoolyard Bully targets both Vietnamese and international victims. When a user enters their Facebook account credentials within the app through a legitimate Facebook WebView page, data is transferred silently and extracted to a threat actor-controlled command and control server through Javascript injection.

“The Trojan opens the legitimate URL inside a WebView with the malicious javascript injected to extract the user’s phone number, email address, and password then sends it to the configured Firebase C&C.”

Similar to Schoolyard Bully, Zimperium researchers noted that recent virus campaigns like “FlyTrap” were also propagated by Vietnamese threat actors. The perpetrators, though, seem to be different from “FlyTrap,” as the campaigns operate differently and wield different codes.

Be Cautious Around Third-Party App Stores and Apps

Third-party apps can find their way onto any app store, regardless of the reputation and security they may have. They have, however, statistically been more present on Google Play and third-party app stores geared toward Android. This October, Meta security researchers identified over 400 mobile apps targeting Facebook users on Google Play.

Apple is known to be more stringent about verifying apps on their app store and about allowing “side-loading,” which can allow hackers to sidestep Apple’s protections.

Third-party apps are those created by someone other than the original vendor or manufacturer the app was designed for, while third-party app stores are often defined as those excluding Google’s Play Store and Apple’s App Store. These may include the much smaller Amazon Appstore and Android app stores that cater to the Chinese market, like Huawei AppGallery and Tencent’s Appstore.

We recommend you use a premium antivirus scanner like Kaspersky Security Cloud Free on your Android device that can flag suspicious apps and websites before they have the chance to get on your device. If you suspect your mobile device may have already been infected, make sure to have a look at our Android malware removal guide.

Leave a comment