This dangerous new Android trojan can hijack your Facebook account

Bad Bots
(Image credit: Gonin / Shutterstock)

Cybersecurity researchers have unraveled a malicious campaign that tricked Android users with malicious apps in order to hijack their Facebook accounts.

According to researchers at mobile security company Zimperium, the campaign managed to hoodwink over 10,000 users across 140 countries.

“Forensic evidence of this active Android Trojan attack, which we have named FlyTrap, points to malicious parties out of Vietnam running this session hijacking campaign since March 2021. These malicious applications were initially distributed through both Google Play and third-party application stores,” Zimperium’s Aazim Yaswant wrote in a blog post detailing the campaign.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

Yashwant notes that the researchers were able to turn the tables on the threat actors and used vulnerabilities in their command and control (C2) servers to deconstruct the campaign. Worryingly however he notes that these vulnerabilities also expose the entire database of stolen details to anyone on the internet.

Social engineering

According to Yashwant, on the face of it, the FlyTrap campaign is a run-off-the-mill scam that deceives people into voluntarily giving up their Facebook credentials. It does this by luring them with free coupon codes for services such as Netflix, Google AdWords, and more.

However, the malicious apps use the real Facebook single sign-on (SSO) service, which prevents them from harvesting users’ credentials. 

The threat actors work around this problem by using a trick known as JavaScript injection to instead collect various other pieces of sensitive data associated with the Facebook session, including cookies and tokens.

This allows them to effectively hijack the Facebook session, which they then use to spread the malware by running malicious campaigns through the Facebook user’s network.

Google has since removed the malicious apps from the Play Store, after being sounded off by Zimperium. However, the apps are still available on third-party app stores and can still be side-loaded. 

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.