Security researchers at Zimperium discovered a new type of Android malware, named FlyTrap, which since March has compromised the Facebook accounts of at least 10,000 people in 144 countries. Lured by free Netflix discount codes, Google AdWords coupons and soccer club voting games, users unwittingly gave up their Facebook login credentials.
FlyTrap Trojan Spread Through Android Apps
The format was very simple. In the first scenario, the perpetrators offered free coupons and discount codes for Netflix or Google AdWords to their victims. To receive their coupon, victims had to log in using their Facebook credentials. To enter their credentials, the app directed them to a legitimate Facebook domain.
In the second scenario, the malware hid in a simple soccer voting game. The app asked users simple questions, like: Who’s the best team? Are you planning to go to a match? Again, the app urged users to engage. Eventually, the app asked the soccer fans to go to their Facebook account to collect their coupon. Next, the hackers simply hijacked their Facebook Session.
Technique Not New, Yet Highly Effective
The malware is part of a family of Trojans that make use of highly effective social engineering tricks to compromise victims’ Facebook accounts. While most people believe phishing scams only happen when they click on malicious links or land on a fake website, this is not necessarily the case.
On the contrary, in this scam, an innocent looking app directed users to the legitimate Facebook sign-in page. The high-quality design of the apps, legitimate looking pop-up screens and perfect English didn’t raise any flags. Consequently, the hackers were able to fly under the victim’s radar.
In the end, no actual voting or discount codes were generated. The final screen only displayed a simple message claiming the coupon had expired after being redeemed and before the spend requirement was met.
From One Victim to Another
Meanwhile, the hackers were able to collect confidential information, such as: the victim’s Facebook ID, geolocation, email address, IP address, as well as cookies and tokens associated with their Facebook account. The malware then transferred the data to FlyTrap’s command and control (C2) server.
“These hijacked Facebook sessions can be used to spread the malware by abusing the victim’s social credibility through personal messaging with links to the Trojan, as well as propagating (political) propaganda or disinformation campaigns using the victim’s geolocation details”, said Aazim Yaswant, Android malware analyst in Zimperium’s blogpost.
To make things worse, the stolen information was available to anyone who discovered FlyTrap’s command and control server. “Security vulnerabilities in the C&C server expose the entire database of stolen session cookies to anyone on the internet, further increasing the threat to the victim’s social credibility”, Aazim Yaswant explains.
Ongoing Active Threats
Zimperium zLabs reported their findings to Google. The tech giant verified the provided research and removed the malicious applications from the Google Play store. “However, the malicious applications are still available on third-party, unsecured app repositories, highlighting the risk of sideloaded applications to mobile endpoints and user data.”
The researchers’ investigation led them to malicious parties running the campaign out of Vietnam from March 2021. To date they’ve acquired more than 10,000 victims in at least 140 countries.
“FlyTrap is just one example of the ongoing, active threats against mobile devices aimed at stealing credentials. Mobile endpoints are often treasure troves of unprotected login information to social media accounts, banking applications, enterprise tools, and more.”