Researchers have uncovered a new type of Android Trojan attack that spreads via social media hijacking.
Evidence of the malware was dug up by the zLabs team at mobile security company Zimperium. A forensic investigation revealed the malicious software to be part of a family of Trojans that use social engineering to compromise Facebook accounts.
Zimperium's Aazim Yaswant said: "A new Android Trojan codenamed FlyTrap has hit at least 140 countries since March 2021 and has spread to over 10,000 victims through social media hijacking, third-party app stores, and sideloaded applications."
The malware places victims at risk of identity theft by hijacking their social media accounts via a Trojan infecting their Android device. Data stolen by FlyTrap includes Facebook ID, location, email address, IP address, and cookies and tokens associated with the Facebook account.
"These hijacked Facebook sessions can be used to spread the malware by abusing the victim’s social credibility through personal messaging with links to the Trojan, as well as propagating propaganda or disinformation campaigns using the victim’s geolocation details," said Yaswant.
FlyTrap ensnares social media users by pretending to offer discount codes for Netflix and Google AdWords or asking users to vote for their favorite soccer team. Users are then taken to a fake Facebook login page and asked to enter their credentials.
The Trojan works by opening the genuine URL inside a WebView configured with the ability to inject JavaScript code. It then steals all the necessary information such as the user's account details and IP address by injecting malicious JS code.
Threat actors based in Vietnam are believed to have been running this session hijacking campaign since springtime.
The threat researchers found that the malicious applications were first distributed through both Google Play and third-party application stores.
"Zimperium zLabs reported the findings to Google, who verified the provided research and removed the malicious applications from the Google Play store. However, the malicious applications are still available on third-party, unsecured app repositories, highlighting the risk of sideloaded applications to mobile endpoints and user data," said Yaswant.
FlyTrap Trojan Android applications include Vote European Football (com.gardenguides.plantingfree) and Chatfuel (com.ynsuper.chatfuel).