Cybersecurity: A New Android Malware “FlyTrap” Revealed

A new Android Trojan has been identified by a cybersecurity firm called Zimperium. Zimperium is an advanced mobile security platform focused on helping its customers detect mobile device threats. Zimperium revealed that FlyTrap a new Android Malware has compromised thousands of Facebook accounts. Android Trojan has hit about 10,000 victims across 140 countries since March. The cybersecurity company claims the new malware campaign spread through social media hijacking, third-party app stores, and side-loaded applications. The company dubbed this malware FlyTrap and said that until recently it was listed on the official Google Play Store.

Zimperium research teams first identified the malware and figured out that it uses social engineering tricks to compromise Facebook accounts. The malware hijacks social media accounts by firstly infecting Android devices, allowing attackers to collect information like Facebook ID, location, email address, and IP address from victims, as well as cookies and tokens tied to users’ Facebook account. According to a report published by Zimperium, FlyTrap is believed to be an undocumented malware that is part of a family of Trojans which employ extreme social engineering tricks to breach Facebook accounts as part of a session hijacking campaign orchestrated by malicious actors operating from Vietnam and shared with The Hacker News.

Although Google Play has since pulled out the nine offending applications said Aazim Yashwant a Zimperium malware researcher, they continue to be available in third-party app stores. This continues to “highlighting the risk of sideloaded applications to mobile endpoints and user data”. He highlighted the list of apps as follows –

• GG Voucher (com.luxcarad.cardid)
• Vote European Football (com.gardenguides.plantingfree)
• GG Coupon Ads (com.free_coupon.gg_free_coupon)
• GG Voucher Ads (com.m_application.app_moi_6)
• GG Voucher (com.free.voucher)
• Chatfuel (com.ynsuper.chatfuel)
• Net Coupon (com.free_coupon.net_coupon)
• Net Coupon (com.movie.net_coupon)
• EURO 2021 Official (com.euro2021)

The malicious apps claim to offer Netflix and Google AdWords coupon codes and let users vote for their favorite teams and players at UEFA EURO 2020, which took place between 11 June and 11 July 2021. The malicious app utilizes this social engineering method under the condition that users log in with their Facebook accounts to cast their vote, or collect the coupon code or credits. Once everything is entered, the app takes victims to a screen that says the coupon has already expired. The malware is equipped to steal the victim’s Facebook ID, location, email address, IP address, and the cookies and tokens associated with the Facebook account instantly, thus enabling the threat actor to carry out disinformation campaigns using the victim’s geolocation details or propagate the malware further via social engineering techniques by sending personal messages containing links to the Trojan.

“These social engineering techniques are highly effective in the digitally connected world and are used often by cybercriminals to spread malware from one victim to another.  Says Zimperium malware researcher. The researchers further explained that the malware uses a technique called “JavaScript injection”, which allows the app to open legitimate URLs inside a “WebView configured with the ability to inject JavaScript code.” The app then extracts information like cookies, user account details, location, and IP address by injecting malicious JS code.

Zimperium suggests Android users find ways to check if any applications on their device have FlyTrap and noted that these breached accounts could be used as a botnet for other purposes like boosting the popularity of certain pages or sites. He added “FlyTrap is just one example of the ongoing, active threats against mobile devices aimed at stealing credentials. Mobile endpoints are often treasure troves of unprotected login information to social media accounts, banking applications, enterprise tools, and more,” said Zimperium researcher.