According to cybersecurity researchers, an Android-based malware campaign that masquerades an infection as education and reading applications has been operating since 2018. It has been specifically designed with the purpose of stealing user account credentials for the popular social media platform Facebook.

While the attacks are primarily focused on users with devices in Vietnam, the recent security report from experts at Zimperium outlines how the malicious campaign has now infected hundreds of thousands of devices all around the world.

The exposed threat has been revealed to be Trojan horse malware. This type of malicious software typically impersonates legitimate products but presents a significant risk to users and their devices. Trojan malware is named after the Greek legend of the wooden horse of Troy, which appeared to be a gift but led to the fall of the city. Trojans may be designed to deploy further malware, provide threat operators with control of operating systems, or spy on important information like user credentials before seizing them.

Introducing Schoolyard Bully

Some of the applications used to spread the Trojan malware, which threat analysts at Zimperium have dubbed ‘Schoolyard Bully,’ were available previously via Google Play. However they have now been removed. Zimperium has warned that the applications continue to spread by way of third-party online stores selling Android apps.

Zimperium named the malware Schoolyard Bully because it pretends to be beneficial and utterly harmless educational applications. However, the core objective of the Trojan horse is to steal user Facebook account credentials and details. This includes email addresses and passwords, account IDs, usernames, device names, device RAM and API.

The malware steals this data by opening a real Facebook login page within the application by utilising WebView and then injecting harmful JavaScript code to extract any user inputs. Analysts at Zimperium explain in the recent report:

“JavaScript is injected into the WebView using the ‘evaluateJavascript’ method. The JavaScript code extracts the value of elements with ‘ids m_login_email’ and ‘m_login_password,’ which are placeholders for the phone number, email address, and password.”

Additionally, the malicious software employs native libraries to obscure its malicious code from active security software and threat analysis tools. Obfuscation tactics are a common element engineered into malware like Trojans, allowing them to remain a persistent threat on devices and systems and stay undetected for long periods of time, spanning from months to years.

Malware victims around the world

Zimperium states that it has detected this type of malware on approximately 300,000 victims based in 71 countries, according to its current telemetry data.

As the 37 applications connected with the campaign are also distributed through third-party app outlets, the number of potential victims is likely far higher.

Zimperium has warned that it is likely that there are more apps in circulation than those so far uncovered by its researchers. The threat operators responsible for the Schoolyard Bully malware are not yet known, but the threat analysts did determine that the Trojan is not linked to the infamous FlyTrap operation that tried to steal Facebook accounts while focused on users in Vietnam.