Researchers at the zLabs team at mobile security company Zimperium have uncovered a new Android Trojan that’s goal is to hijack the social media profiles of its victims. The malware has been dubbed FlyTrap and has affected over 140 countries since March 2021 and spread to over 10,000 victims. By using a lure in a phishing email, the threat actors trick victims into signing into their Facebook account through Facebook’s Single Sign-On (SSO) and proceeds to steal personal details such as location, IP Address, and injects malicious JavaScript code onto the victim’s device. The malware spreads using the victim’s social media credibility through personal messaging with links to the Trojan, as well as spreading propaganda or disinformation campaigns. Since FlyTrap uses Facebook’s legitimate SSO, it does not allow the threat actor to steal the login credentials for the account. All the stolen information from victims is sent to the Command and Control (C2) server that is run by the threat actors. Researchers found that the C2 servers were not probably secured, allowing anyone to access the information on them. The threat actor is believed to be based out of Vietnam. Researchers informed Google of the trojan, and they removed the malicious apps spreading the malware from the Google Play Store, but some apps are still available on third-party stores.
Analyst Notes
Anyone that uses Android devices is at risk for this attack. People should ensure that when downloading apps on their mobile devices, they are doing so from authorized app stores and not unknown third-party stores. Google does a good job at identifying malicious apps and taking them down from the play store, whereas other app stores might not be as strict. Anytime someone receives an email from an unknown sender they should be cautious of any links in the email and not click on them without first verifying the sender. The lures in this case included an offer for free Netflix or Google AdWords as well as asking recipients to vote on their favorite soccer team. When using social media, people should understand that it is possible for these accounts to be taken over and if they normally do not communicate through the social media platforms with certain people, they should not open messages from them without confirming with the account owner that they meant to send the message. Companies that offer Android devices to employees should make sure the devices have security settings and controls on them to identify when malware has been downloaded and stop the download of apps from unknown sources.
More can be read here: https://www.infosecurity-magazine.com/news/new-android-trojan-hijacks-social/