A new Android-based trojan has been discovered that can hijack the Facebook accounts of users by stealing session cookies. According to the researchers, the malware campaigns employ simple social engineering tactics.

FlyTrap is everywhere

Researchers from the security firm Zimperium spotted a new Trojan called FlyTrap to extract the Facebook login credentials of users.
  • Spread across 140 countries since March, the FlyTrap campaign involves leveraging malicious applications to spread the malware via Google Play and other third-party Android stores.
  • Experts suspect that more than 10,000 Android users may have fallen victim to this attack campaign that uses various offers as baits.

Offers one can’t refuse

Criminals used lures such as free coupon codes for popular services such as Google AdWords or Netflix. 
  • In some cases, voting for the popular soccer team, player, or staying updated with UEFA Euro 2020 competition were also used to entice victims.
  • An interested user must log in to the malicious app with their Facebook credentials to claim the reward.

Additional info

These malicious apps use a legitimate Facebook Single Sign-On (SSO) service, which prevents capturing users’ credentials. To overcome this, the Trojan uses JavaScript injection to collect sensitive information.
  • All of the information gathered was eventually uploaded to FlyTrap's C2 server. 
  • Moreover, FlyTrap’s C2 server was found to have multiple security holes, which could result in the further leaks of stolen Facebook session cookies from the server.

Conclusion

Even without using any new technique, FlyTrap hijacked a large number of Facebook accounts. These stolen account credentials could be used in other malicious actions. Moreover, the campaign is still active and with some modifications, it can become a more serious threat for smartphone users.

Cyware Publisher

Publisher

Cyware