A new Android Trojan codenamed FlyTrap has hit at least 140 countries since March 2021 and has spread to over 10,000 victims through social media hijacking, third-party app stores, and sideloaded applications.
Zimperium’s zLabs mobile threat research teams recently found several previously undetected applications using Zimperium’s z9 malware engine and on-device detection. Following their forensic investigation, the zLabs team determined this previously undetected malware is part of a family of Trojans that employ social engineering tricks to compromise Facebook accounts.
According to the research team, FlyTrap points to malicious parties out of Vietnam running this session hijacking campaign since March 2021. These malicious applications were initially distributed through both Google Play and third-party application stores.
Zimperium zLabs reported the findings to Google, who verified the provided research and removed the malicious applications from the Google Play store. However, the malicious applications are still available on third-party, unsecured app repositories, highlighting the risk of sideloaded applications to mobile endpoints and user data.
What Can FlyTrap Trojan Do?
The mobile application poses a threat to the victim’s social identity by hijacking their Facebook accounts via a Trojan infecting their Android device. The information collected from the victim’s Android device includes:
- Facebook ID
- Location
- Email address
- IP address
- Cookie and Tokens associated with the Facebook account
These hijacked Facebook sessions can be used to spread the malware by abusing the victim’s social credibility through personal messaging with links to the Trojan, as well as propagating propaganda or disinformation campaigns using the victim’s geolocation details. These social engineering techniques are highly effective in the digitally connected world and are used often by cybercriminals to spread malware from one victim to another.
The threat actors made use of several themes that users would find appealing such as free Netflix coupon codes, Google AdWords coupon codes, and voting for the best football (soccer) team or player. Initially available in Google Play and third-party stores, the application tricked users into downloading and trusting the application with high-quality designs and social engineering. After installation, the malicious application displays pages that engage the user and asks for a response from them, such as the ones shown below.
The engagement continues until the user is shown the Facebook login page and asks to log in to their account to cast their vote or collect the coupon code or credits. All this is just another trick to mislead the user since no actual voting or coupon code gets generated.
Instead, the final screen tries to justify the fake coupon code by displaying a message stating that “Coupon expired after redemption and before spending.” The following images show one of the applications’ UI navigation.
The exposed database contains the geolocation information of several thousands of victims based on which, the victimology map shown below was generated. The Zimperium zLabs mobile threat research team found over 10,000 victims across 144 countries to date, which illustrates the impact of the social engineering campaign.
FlyTrap is just one example of the ongoing, active threats against mobile devices aimed at stealing credentials. Mobile endpoints are often treasure troves of unprotected login information to social media accounts, banking applications, enterprise tools, and more.
The tools and techniques used by FlyTrap are not novel but are effective due to the lack of advanced mobile endpoint security on these devices. It would not take much for a malicious party to take FlyTrap or any other Trojan and modify it to target even more critical information.
