Cybercriminals often use themes of popular and useful apps to trick people into downloading malicious apps, so that they can gain access to victims' devices and steal data. According to researchers, a group of attackers has been luring potential Android users by using numerous malicious apps to steal Facebook credentials, since 2018.

About the campaign

According to a Zimperium report, these malicious apps known as the Schoolyard Bully Trojan are masquerading as legitimate, reading, and education apps on Google Play Store and third-party app stores.
  • The malicious apps prompt users to login into Facebook accounts and display a legitimate Facebook login page using WebView.
  • Attackers inject malicious Javascript into the WebView to steal and extract the user's input (email address, password, and phone number), then upload it to the configured Firebase C2 server.

Trojan capabilities

  • The trojan is capable of stealing information from the victims’ Facebook accounts including credentials, account ID, username, device name, device RAM, and device API.
  • Moreover, this Android threat campaign uses native libraries to hide its malicious code, C2 details, and educational data from antivirus and machine learning virus detections.

Additional insights

The malicious apps used in the campaign primarily target Vietnamese readers.
  • Additionally, the researchers found over 300,000 victims across 71 countries, including the U.S., Russia, China, Canada, Brazil, and Australia.
  • Experts found 37 apps associated with this campaign and these are actively being distributed via third-party app stores as Google has removed these apps from the Play Store.


Malicious apps on third-party app stores disguise themselves to look interesting and useful and their developers even publish fake reviews of the apps to cover up negative ones. Users must keep in mind that there are many illegitimate apps that offer the same features and functionality but perform malicious activities in the background. Therefore, besides just observing the telltale signs that differentiate malicious apps from legitimate apps, users are advised to consider additional factors such as avoiding downloads from third-party app stores and having additional dedicated security solutions for mobile phones.
Cyware Publisher