Researchers have uncovered a new Android trojan, dubbed FlyTrap, that has spread to more than 10,000 victims via malicious apps on third-party app stores, sideloaded apps and hijacked Facebook accounts.
FlyTrap has spread to at least 144 countries since March, via malicious apps distributed through Google Play store and third-party app marketplaces. The malware is part of a family of trojans that use social engineering tactics to take over Facebook accounts. The session-hijacking campaign was initially distributed via Google Play as well as third-party app stores, and thankfully, Google Play has recently removed the malicious apps.
They are, however, still being distributed on third-party, unsecured app stores, which highlights the risk of side-loaded applications to mobile endpoints and user data.
The nine malicious applications focus around free Netflix codes, Google AdWords vouchers, and voting for the best football team or player. They’re designed to entice and are built with high-quality graphics.
“Just like any user manipulation, the official-looking login screens are common tactics to have users take action that could reveal sensitive information. While the user is logging into their official account, the FlyTrap Trojan is hijacking the session information for malicious intent.”
Before the malware apps dish out the promised goodies, targeted users are told to log in with their Facebook accounts to cast their vote or collect the coupon code or credits. There are, of course, no free Netflix or AdWords coupons or codes, rather, the malicious apps are just after Facebook credentials. They make a last-stab attempt to look legitimate by presenting a message saying that the coupon or code expired, “after redemption and before spending.”
After a confused Android user hands over their Facebook credentials, the apps get busy consuming data that includes: Facebook ID, location, email address, IP address and cookies and tokens associated with the Facebook account. Then, the trojan uses victim’s accounts to spread its tentacles, making it look like the rightful owners are sharing legitimate posts with links to the Trojan, as well as propagating propaganda or disinformation campaigns using the victim’s geolocation details. These social engineering techniques are highly effective in the digitally connected world and are used often by cyber criminals to spread malware from one victim to another.
A similar campaign, was SilentFade: a malware campaign linked to threat actors that targeted Facebook’s ad platform for years and siphoned £2.8m from users’ advertising accounts, using the compromised accounts to promote malicious ads, steal browser cookies and more. More recently, a similar malware – a password- and cookie-stealer named CopperStealer – was found to have been compromising Amazon, Apple, Google and Facebook accounts since 2019, then using them for additional cyber criminal activity.
FlyTrap’s command-and-control (C2) server uses the stolen login credentials to authorise access to the harvested data. But it gets worse: zLabs found that the C2 server has a misconfiguration that could be exploited to expose the entire database of stolen session cookies to any internet user, further endangering the victims.
There’s nothing new about credential-stealing from mobile devices, mobile endpoints are often viewed as a treasure trove of unprotected login information to social media accounts, banking applications, enterprise tools and more. In fact, FlyTrap’s tools and techniques are so effective, don’t be surprised if some malicious actor picks it up and retrofits it.
Neuways advises users to do their research before blindly clicking open hyperlinks. This malware spreads mainly by promising vouchers and it is this social engineering aspect which is the most concerning and dangerous. We advise users to better understand social engineering attacks so they can be spotted earlier, and ultimately protect themselves and their business from being hacked. Where possible, it is also advisable for users to enable multi-factor authentication (MFA) for all social-media accounts and any other accounts with access to sensitive and private data. This will not stop this kind of cyber attack specifically, but it does add an additional security layer, such as geo-based alerts to the user’s profile.