A newly discovered Trojan has stolen Facebook logins from over 300,000 users in a campaign lasting four years, according to Zimperium.
The security vendor claimed to have found the “Schoolyard Bully” malware hidden in several applications available on both Google Play and third-party app stores.
“Even though these apps have now been removed from Google Play Store, they are still available on third-party app stores waiting to shake down their next student victim,” the firm warned.
The malware is designed to steal the email, phone number, Facebook password, ID and name of its victims, and is hidden in benign-looking educational applications, Zimperium explained.
“This Trojan uses Javascript injection to steal the Facebook credentials,” it added. “The Trojan opens the legitimate URL inside a WebView with the malicious Javascript injected to extract the user’s phone number, email address and password, then sends it to the configured Firebase C&C.”
It uses native libraries to stay hidden from most AV and machine learning detection tools, and to store its C&C data.
Although focused on Vietnam, the long-running campaign has been infecting users in 71 countries since 2018, Zimperium added.
“The actual number of countries could be more than what was accounted for because the applications are still being found in third-party app stores,” the security vendor said.
Malicious applications continue to flourish in the Android ecosystem, despite Google’s best efforts to police the Play store. Just last month, researchers discovered a new banking Trojan dubbed “Vultur” which garnered 100,000 downloads on Google Play.
Editorial credit header image: Daniel Chetroni / Shutterstock.com