FlyTrap Android malware compromised over 10,000 Facebook accounts

FlyTrap Android malware

According to experts from Zimperium, Android malware FlyTrap hijacks Facebook accounts in 140 countries around the world by stealing session cookies.

Worse, the researchers found that the stolen information was available to anyone who found the FlyTrap C&C server.

Analysts believe the malware has been active since at least this spring.

Forensic evidence of this active Android Trojan attack, which we have named FlyTrap, points to malicious parties out of Vietnam running this session hijacking campaign since March 2021.Zimperium specialists write.

Attackers use decoys distributed through Google Play and third-party Android app stores.

As a rule, such a decoy offers the user free coupons (for Netflix, Google AdWords, and so on) or offers to vote for their favorite football team and Euro 2020 player.

FlyTrap Android malware

To do this, the victim allegedly needs to log into the application using Facebook credentials, and authentication occurs through the legitimate domain of the social network. Since the malicious apps use real Facebook SSO, they cannot directly collect user credentials. Instead, FlyTrap uses JavaScript injection to collect other sensitive data.

The application opens a real URL inside a WebView configured using JavaScript injection, which allows it to retrieve all the information it needs, including cookies, user account details, location information, and IP address.the experts write.

The information collected in this way is transmitted to the attackers’ command and control server. At the moment, more than 10,000 Android users in 144 countries of the world have become victims of this malicious campaign.

FlyTrap Android malware

The exact data and numbers were extracted from the server of the criminals directly, as the researchers found that anyone could get access to it. According to experts, the FlyTrap C&C server had many vulnerabilities that made it easier to access stored information.

The researchers emphasize that phishing pages that steal credentials are not the only tool used by fraudsters. As the FlyTrap example shows, logging in through a legitimate domain can also be risky.

Let me remind you that I also talked about Alien malware that steals passwords from 226 Android apps.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *