Researchers warn about a newly-discovered Android Trojan called FlyTrap that’s capable of taking over Facebook accounts by using fake apps available in the Google Play Store and other third-party Android app stores. The malware is currently active in more than 140 countries and it operates by tricking its victim into logging into the fake app with their Facebook credentials, after which the virus hijacks the social media session, acquiring all sorts of sensitive data that could allow the criminal actors behind the threat to hijack the accounts of their victims.
The threat was discovered by security researchers at Zimperium, who have found that the data stolen from the virus’ victims can be accessed by anyone who gets access to the Trojan’s command and control server.
Fake apps used to perform the data extortion
According to the latest information, the FlyTrap Android Trojan has been acting in the wild since at least March this year. What has helped this malware spread trick over 10,000 users across 144 countries is that the apps it gets disguised as seem legitimate at first due to their polished look and good graphical design. At first glance, nothing about those apps seems sketchy or dangerous, leading to a big number of users falling for their trickery.
The fake apps that serve as disguise for the FlyTrap are apps for free coupon codes for Google AdWords and Netflix as well as voting apps that allow the user to vote for their favourite soccer players and teams, which cashes in on the delayed UEFA Euro 2020 competition.
To use the fake app, the user is required to log in with their Facebook account. The app itself uses the actual Facebook single sign-on service, which means that the hackers behind FlyTrap can’t directly extract the login credentials provided by the user. However, researchers report that, with this technique, the hackers are to open the legitimate URL within a specially configured JavaScript code that, in turn, extracts session data such as cookies, IP address, location, and account details.
The data collected by FlyTrap can be accessed by third-parties who can get access to the C2 server of the virus, which is not hard to do because the database of stolen information is publicly available to anyone on the web due to security vulnerabilities in the server (that the researchers at Zimperium have been able to exploit during their research).
Once the user account data comes into possession of the hackers, it could be used in a wide variety of ways, including artificial boosting of site ratings and view numbers, spreading misinformation, political propaganda, and more.
Aazim Yaswant, a researcher at Zimperium, says that the FlyTrap Trojan highlights the fact that phishing pages aren’t the only effective way for threat actors to gain possession of sensitive user data – exploiting legitimate domains that users log into is also something that can be exploited for similar purposes.
The technique used by FlyTrap isn’t a new one but its success and the fact that it has remained hidden for this long shows that it’s a rather effective attack strategy that users need to be aware of.
Leave a Comment