Contents:
The malware, dubbed as FlyTrap works by stealing session cookies.
FlyTrap works based on a few simple social engineering tactics used to trick victims into using their Facebook credentials to log into malicious apps that are able to collect the data associated with the social media session.
The researchers from the security company Zimperium discovered the new malware and found that the stolen information was accessible to anyone who discovered FlyTrap’s command and control (C2) server.
It looks like the FlyTrap campaigns were running since March, as the threat actor used malicious applications that had high-quality design and that were distributed through Google Play and third-party Android stores.
What Was the Lure?
As a lure, the attackers were offering free coupon codes (for Netflix, Google AdWords).
In order to obtain the reward, the users had to log into the app using their Facebook credentials.
It was interesting to notice that since the malicious apps were using the real Facebook single sign-on (SSO) service, they weren’t able to collect users’ credentials, therefore forcing FlyTrap to rely on JavaScript injection in order to harvest other sensitive data.
Using this technique, the application opens the legit URL inside a WebView configured with the ability to inject JavaScript code and extracts all the necessary information such as cookies, user account details, location, and IP address by injecting malicious JS code.
The information that was collected in this manner went to FlyTrap’s C2 server, and it seems that more than 10,000 Android users from 144 countries fell victim to this social engineering.
Aazim Yaswant from Zimperium disclosed in a blog post that FlyTrap’s C2 server had multiple security vulnerabilities that facilitated access to the stored information, and notes that social media represents a common target for threat actors.
Social media accounts can be used for fraudulent purposes like artificially boosting the popularity of pages, sites, products, misinformation, or a political message.
Just like any user manipulation, the high-quality graphics and official-looking login screens are common tactics to have users take action that could reveal sensitive information. In this case, while the user is logging into their official account, the FlyTrap Trojan is hijacking the session information for malicious intent.
It’s worth noting that without using any new or revolutionary techniques FlyTrap hijacked a significant number of Facebook accounts.