A brand new Android trojan has been discovered to compromise Fb accounts of over 10,000 customers in no less than 144 international locations since March 2021 by way of fraudulent apps distributed via Google Play Retailer and different third-party app marketplaces.
Dubbed “FlyTrap,” the beforehand undocumented malware is believed to be a part of a household of trojans that make use of social engineering tips to breach Fb accounts as a part of a session hijacking marketing campaign orchestrated by malicious actors working out of Vietnam, in line with a report printed by Zimperium’s zLabs right this moment and shared with The Hacker Information.
Though the offending 9 purposes have since been pulled from Google Play, they proceed to be accessible in third-party app shops, “highlighting the chance of sideloaded purposes to cellular endpoints and person information,” Zimperium malware researcher Aazim Yaswant stated. The record of apps is as follows –
- GG Voucher (com.luxcarad.cardid)
- Vote European Soccer (com.gardenguides.plantingfree)
- GG Coupon Adverts (com.free_coupon.gg_free_coupon)
- GG Voucher Adverts (com.m_application.app_moi_6)
- GG Voucher (com.free.voucher)
- Chatfuel (com.ynsuper.chatfuel)
- Web Coupon (com.free_coupon.net_coupon)
- Web Coupon (com.film.net_coupon)
- EURO 2021 Official (com.euro2021)
The malicious apps declare to supply Netflix and Google AdWords coupon codes and let customers vote for his or her favourite groups and gamers at UEFA EURO 2020, which befell between 11 June and 11 July 2021, solely below the situation that they log in with their Fb accounts to forged their vote, or gather the coupon code or credit.
As soon as a person indicators into the account, the malware is supplied to steal the sufferer’s Fb ID, location, electronic mail tackle, IP tackle, and the cookies and tokens related to the Fb account, thus enabling the risk actor to hold out disinformation campaigns utilizing the sufferer’s geolocation particulars or propagate the malware additional by way of social engineering strategies by sending private messages containing hyperlinks to the trojan.
Whereas the exfiltrated information is hosted on a command-and-control (C2) infrastructure, safety flaws discovered within the C2 server may very well be exploited to reveal all the database of stolen session cookies to anybody on the web, thereby placing the victims at additional threat.
“Malicious risk actors are leveraging frequent person misconceptions that logging into the correct area is at all times safe no matter the applying used to log in,” Yashwant stated. “The focused domains are well-liked social media platforms and this marketing campaign has been exceptionally efficient in harvesting social media session information of customers from 144 international locations. These accounts can be utilized as a botnet for various functions: from boosting the recognition of pages/websites/merchandise to spreading misinformation or political propaganda.”