Credential stealer infected over 300,000 Android devices

Android malware found on Google Play stole thousands of Facebook login credentials

Users were tricked by apps that look like educational platforms

Zimperium zLabs^[1] has discovered a new Android threat campaign, called the Schoolyard Bully Trojan. This campaign has been active since 2018 and has tricked more than 300,000 people into giving away their Facebook credentials. The Schoolyard Bully Trojans have been found in numerous applications that were downloaded from both the Google Play Store and third-party app stores.

At first glance, these apps appear to be regular, educational applications with a diverse array of books and reading material. however, upon further inspection, it is revealed that these apps are actually malicious Trojan horses designed to steal Facebook credentials from their victims. These apps have now been removed from the Google Play Store but remain available on third-party stores where unsuspecting students may still download them.

How does the Schoolyard Bully Trojan work?

The Schoolyard Bully Trojan targets Vietnamese readers by disguising itself as educational applications. The attacker is able to use non-suspicious applications to target their victims. This trojan operates by Javascript injection^[2] to thieve Facebook credentials. The Trojan opens a real URL that looks like a Facebook login window inside a WebView, with injected malicious Javascript in order to extract the user's phone number, email address, and password.

Then it sends this data to the configured Firebase C&C server. Furthermore, the malware employs native libraries to prevent its malicious code from being detected by security software and analysis tools. Based on their telemetry data, Zimperium has detected this malware in 71 countries and estimates that 300,000 people have fallen victim to it.

In addition, the 37 apps associated with this campaign are distributed via third-party app stores, so the number of victims is probably even higher because there is no reliable way to measure victim counts on these platforms. Zimperium has discovered that there are more apps associated with the Schoolyard Bully trojan campaign. The researchers do not know who the threat actors behind this malware are, however, analysts saw increased activity in attempts to steal Facebook accounts focused in Vietnam.

Cybercriminals keep exploiting Google Play users

This is not the first time that threat actors listed infected applications on the Googe Play Store. Cybercriminals target social media account login details, such as Facebook, Instagram, Twitter, and even banking credentials. These malicious apps can look like anything – educational platforms, antivirus tools, system cleaners, photo editing, fitness, astrology, etc.

Earlier this year, a two-factor authentication app was discovered to take advantage of users by luring them in with the promise of better digital security.^[3] The app was downloaded about 10,000 times in the 2 weeks it was available on Google Play before users realized they were victims of an identity scheme.

Even though the Google Play store has put various verification systems in place for apps, threat actors are constantly coming up with new ways to disguise their credential stealers. Users have to be incredibly cautious and read the reviews, look at the ratings, and read the descriptions fully. Google Play remains one of the safest places to download mobile apps, so people should still avoid third-party websites.