Numerous Facebook accounts are compromised by a new malware attack named FlyTrap.
Since March 2021, Over 10,000 Facebook accounts have been compromised via a new Android trojan in 144 countries by installing fraudulent apps distributed through third-party platforms such as the Google Play Store.
Zimperium malware researcher Aazim Yaswant noted that the offending nine applications have since been removed from Google Play, but are available in third-party app stores, “proving the risk of sideloaded apps to endpoints and usage data,” he said.
The list of malicious apps are as follows –
- GG Voucher (com.luxcarad.cardid)
- Vote European Football (com.gardenguides.plantingfree)
- GG Coupon Ads (com.free_coupon.gg_free_coupon)
- GG Voucher Ads (com.m_application.app_moi_6)
- GG Voucher (com.free.voucher)
- Chatfuel (com.ynsuper.chatfuel)
- Net Coupon (com.free_coupon.net_coupon)
- Net Coupon (com.movie.net_coupon)
- EURO 2021 Official (com.euro2021)
How it works?
In these malicious apps, the scammers claim to offer Netflix and Google AdWords coupons and give away credits and codes as part of the UEFA EURO 2020 vote, which took place between 11 June and 11 July 2021, only if the users log in with their Facebook accounts.
When a victim signs into their Facebook account, the malware is able to steal their Facebook ID, location, email address, IP address, cookies and tokens. Consequently, the threat actor can use geolocation details to run disinformation campaigns or send personal messages containing trojan links to spread malware further.
The method is called JavaScript injection, in which “the application opens the legitimate URL within a WebView configured to inject JavaScript code and then gets all the necessary information via malicious [JavaScript] code,” as explained Yaswant.
Also See – LabCIF – Forensic Analysis For Mobile Apps
FlyTrap is just one example of the ongoing, active threats against mobile devices aimed at stealing credentials. Mobile endpoints are often treasure troves of unprotected login information to social media accounts, banking applications, enterprise tools, and more. The tools and techniques used by FlyTrap are not novel but are effective due to the lack of advanced mobile endpoint security on these devices. It would not take much for a malicious party to take FlyTrap or any other Trojan and modify it to target even more critical information.
Malicious threat actors are leveraging common user misconceptions that logging into the right domain is always secure irrespective of the application used to log in. The targeted domains are popular social media platforms and this campaign has been exceptionally effective in harvesting social media session data of users from 144 countries. These accounts can be used as a botnet for different purposes: from boosting the popularity of pages/sites/products to spreading misinformation or political propaganda.
What users need to do?
- Do not click on unknown links
- Change your Facebook password by time
- Delete your Browser cookies
- Always on two step authentication
