This Android 'FlyTrap' Hijacks Victims' Facebook Account, Steals Personal Data, And More

The Android FlyTrap malware, trojan

The most effective way for unprivileged individuals to extract data from a target device, is by planting a malware.

If things go as planned, the malware that can be designed to be a trojan, can infect the device, and hijack things. This time, a malware called the 'FlyTrap' is targeting anyone on Earth, as long as they use Android.

Since first discovered, the malware has claimed more than 10,000 Facebook users as its victims, across more than 140 countries.

According to researchers at mobile security company Zimperium, the Android trojan hacking campaign has been going on since at least March 2021.

Zimperium’s Aazim Yaswant wrote in a blog post detailing the campaign:

“Forensic evidence of this active Android Trojan attack, which we have named FlyTrap, points to malicious parties out of Vietnam running this session hijacking campaign since March 2021. These malicious applications were initially distributed through both Google Play and third-party application stores.”

According to Yashwant, the FlyTrap hacking campaign uses deception to make people to voluntarily give up their Facebook credentials.

The malicious apps can do this by offering targets with free coupon codes for services such as Netflix, Google AdWords, and more.

To receive the gifts, users must first sign in into their Facebook account.

Facebook has what it calls the single sign-on (SSO), which prevents third-party apps to harvest users' credentials. But these apps managed to work around this problem using a trick known as JavaScript injection, which allows the apps to open legitimate URLs inside a "WebView configured with the ability to inject JavaScript code."

This way, the apps can collect various pieces of sensitive data associated with users' Facebook session, including cookies and tokens.

By stealing the information, the hackers can effectively hijack people's Facebook session, which they then use to spread the malware by running malicious campaigns through the Facebook users' network.

For example, the hackers can hijack users' Facebook account to send more phishing links to the users' contacts via direct messages and posts, or send them links hiding other, even more dangerous malware.

And not just that, as FlyTrap can also steal location data, IP addresses, email addresses, and more.

FlyTrap
The many screens the FlyTrap malware can show. (Credit: Zimperium)
FlyTrap
The graphical flow of the FlyTrap, which lures victims into a Facebook sign in page. (Credit: Zimperium)
"These social engineering techniques are highly effective in the digitally connected world and are used often by cybercriminals to spread malware from one victim to another."

While the malware is mostly being used to steal personal data at the moment, it could also be employed in more nefarious ways, such as to facilitate a large-scale ransomware deployment.

In order to prevent FlyTrap, Android users should at least use antivirus or antimalware apps, never grant apps unnecessary permissions, never download unknown apps from unknown developers, even from the Google Play Store, never click on unknown links, and beware of “too good to be true” offers and similar online scam techniques.

And whenever possible, only sign in to Facebook (or any other services) through their official app of website, and not when prompted by an ad, email, or unrelated app.

It is said that the malware group behind this FlyTrap campaign is from Vietnam.

Yashwant noted that the researchers were able to thwart the attacks and used vulnerabilities in their command and control (C2) servers to deconstruct the campaign. However, these vulnerabilities also expose the entire database of stolen details to anyone on the internet.

Google has since removed the malicious apps from the Play Store, after being sounded off by Zimperium. However, the apps are still available on third-party app stores and can still be side-loaded.

Published: 
14/08/2021