Flytrap

Thousands of facebook account compromised by Flytrap

FlyTrap, a new Android Trojan that has spread to over 10,000 victims through social media hijacking, third-party app stores, and sideloaded applications, has affected at least 140 countries since March 2021.

The zLabs team examined the forensic evidence and concluded that this previously undetected malware is part of a family of Trojans that deploy social engineering tricks to compromise Facebook accounts.According to forensic evidence, this active Android Trojan attack, which called as FlyTrap, has been carried out by malignant parties based in Vietnam since March 2021. Initial distribution of these malicious applications took place through both Google Play and third-party application stores. 

The findings were reported to Google by ZLabs, who verified the provided research and eliminated the malicious applications from the Google Play store. Despite this, malicious applications can still be found on third-party, unsecured app repositories, demonstrating the vulnerability of sideloaded applications to mobile devices and user data.

information Collected by Flytrap

The Following information is was collected from Victim’s Device 

–   Facebook ID                   – Location                     

–   Email address                – IP address  

–   Cookie and Tokens associated with the Facebook acc

Attack Methodology

In order to lure users in, the threat actors used multiple appealing themes such as free coupon codes for Netflix and Google Adsense and voting for the best football team and player.

This engagement continues until the user is shown the Facebook login page and asks to log in to their account to perform final step to submit their vote or collect the coupon code and credits.  

 

It's more than just phishings!

It is a common misconception that Phishing Pages are always associated with account compromises or hijackings. However, hijackings can be accomplished even when logged into the original, legitimate domain. This Trojan exploits a technique known as JavaScript injection.

In this technique , the application opens the legit URL inside a webview configured with the ability to inject JavaScript code and extract all the necessary information such as Cookies , User Account Details , Location , IP Address by injecting Malicious JavaScript.

The manipulation of web resources is addressed under “Cross-principal manipulation (XPM) ” in Research An Empirical Study Of Web Resource Manipulation In Real-world Mobile Applications .

 After  victim successfully logs in to Facebook, the data exfiltration process begins, as evident from the screenshots below showing the communication with the C&C server.In this request Malicious app is sending POST request with  exfiltered Userdata by Javascript Injection.

The Following data is sent to C&C server
–  Account ID , Cookie 

One of the Command & Control server shows the partial details of harvested data , like Country Code , Facebook UID , Date and Time of data collection. 
The Username and Password columns were kept blank as it was not intended to expose harvested credentials to Public.

One of Command & Control server  that stores the harvested credentials

Impact and Victims

Based on the exposed database, which includes the geolocation information of several thousands of victims, Zimperium zLabs  developed the victimology map shown below. Researchers at Zimperium zLabs have found more than 10,000 victims across 144 countries, highlighting the massive impact of this social engineering campaign.

It is just one example of the ongoing, active threats aimed at stealing credentials from mobile devices. The mobile endpoints are often unprotected reservoirs for social media accounts, banking apps, enterprise applications, and other information. While FlyTrap’s techniques are not novel, they are effective as there are no advanced mobile endpoint security measures on these devices. It would not be difficult for a malicious party to modify FlyTrap or any other Trojan to target even more sensitive data.

C&C Servers

  • hxxp://47[.]57[.]237[.]26
  • hxxp://165[.]232[.]173[.]244:3023
  • hxxps://manage-ads[.]com
  • hxxp://quanlysanpham[.]work

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent posts