FlyTrap, a new Android Trojan that has spread to over 10,000 victims through social media hijacking, third-party app stores, and sideloaded applications, has affected at least 140 countries since March 2021.
The zLabs team examined the forensic evidence and concluded that this previously undetected malware is part of a family of Trojans that deploy social engineering tricks to compromise Facebook accounts.According to forensic evidence, this active Android Trojan attack, which called as FlyTrap, has been carried out by malignant parties based in Vietnam since March 2021. Initial distribution of these malicious applications took place through both Google Play and third-party application stores.
The findings were reported to Google by ZLabs, who verified the provided research and eliminated the malicious applications from the Google Play store. Despite this, malicious applications can still be found on third-party, unsecured app repositories, demonstrating the vulnerability of sideloaded applications to mobile devices and user data.
The Following information is was collected from Victim’s Device
– Facebook ID – Location
– Email address – IP address
– Cookie and Tokens associated with the Facebook acc
In order to lure users in, the threat actors used multiple appealing themes such as free coupon codes for Netflix and Google Adsense and voting for the best football team and player.
This engagement continues until the user is shown the Facebook login page and asks to log in to their account to perform final step to submit their vote or collect the coupon code and credits.
The Following data is sent to C&C server
– Account ID , Cookie
One of the Command & Control server shows the partial details of harvested data , like Country Code , Facebook UID , Date and Time of data collection.
The Username and Password columns were kept blank as it was not intended to expose harvested credentials to Public.
One of Command & Control server that stores the harvested credentials
Based on the exposed database, which includes the geolocation information of several thousands of victims, Zimperium zLabs developed the victimology map shown below. Researchers at Zimperium zLabs have found more than 10,000 victims across 144 countries, highlighting the massive impact of this social engineering campaign.
It is just one example of the ongoing, active threats aimed at stealing credentials from mobile devices. The mobile endpoints are often unprotected reservoirs for social media accounts, banking apps, enterprise applications, and other information. While FlyTrap’s techniques are not novel, they are effective as there are no advanced mobile endpoint security measures on these devices. It would not be difficult for a malicious party to modify FlyTrap or any other Trojan to target even more sensitive data.