In a report released on Monday, August 9, cybersecurity organization Zimperium confirmed that a new Android Trojan has hit over 10,000 victims in 144 countries.  The Trojan, which is being called “FlyTrap”, has been spread through “social media hijacking, third-party apps stores, and side loaded applications” since March.

The threat was first identified by Zimperium’s zLabs mobile threat research team. They were able to figure out that the Trojan uses social engineering tricks to compromise victims’ Facebook accounts. FlyTrap hijacks a user’s Facebook account by infecting their Android device. This allows hackers to collect information about the user such as Facebook ID, location, email address, IP address, cookies, and tokens connected to the user’s account.

“These hijacked Facebook sessions can be used to spread the malware by abusing the victim’s social credibility through personal messaging with links to the Trojan, as well as propagating propaganda or disinformation campaigns using the victim’s geolocation details,” according the Zimperium researchers.

“These social engineering techniques are highly effective in the digitally connected world and are used often by cybercriminals to spread malware from one victim to another. The threat actors made use of several themes that users would find appealing such as free Netflix coupon codes, Google AdWords coupon codes, and voting for the best football (soccer) team or player.”

Zimperium researchers attributed the malware to groups based in Vietnam.  The attackers are able to distribute it using Google Play and other apps stores.  Google, who received a report of the malware, has removed the applications associated with the malware.  The report notes however that some applications are still available on “third party, unsecured app repositories.”

When a user downloads the app, they’re asked to enter their Facebook credentials to vote on something, or to collect coupon codes. Once they enter their information, they are redirected to a page that says the coupon is expired.

The malware uses something called “JavaScript injection,” which allows the suspect app to open legitimate URLs inside a “WebView configured with the ability to inject JavaScript code. The app then extracts information like cookies, user account details, location and IP address by injecting malicious JS code.”

Zimperium is suggesting that Android users find a way to check to see if any of their apps have FlyTrap because the malware can also be used for purposes like being used as a botnet to boost the popularity of certain pages or sites.

“FlyTrap is just one example of the ongoing, active threats against mobile devices aimed at stealing credentials. Mobile endpoints are often treasure troves of unprotected login information to social media accounts, banking applications, enterprise tools and more,” Zimperium researchers said.

“The tools and techniques used by FlyTrap are not novel but are effective due to the lack of advanced mobile endpoint security on these devices. It would not take much for a malicious party to take FlyTrap or any other Trojan and modify it to target even more critical information.”

Vice president at NTT Application Security, Setu Kulkarni, states that FlyTrap was a “nifty combination” of a handful of different vulnerabilities and that it takes advantage of an abundance of meta-data open to access, like location, as well as the implicit trust that can be gained by associated with corporations like Google and Netflix.

“This is not even the most concerning bit – the concerning bit is the network effect this type of Trojan can generate by spreading from one user to many. Moreover, as the summary of Zimperium’s findings states – this Trojan could be evolved to exfiltrate significantly more critical information like banking credentials,” Kulkarni said.

“The what-if scenarios don’t end there, unfortunately. What if this type of Trojan is now offered as a service, or what if this transforms quickly into ransomware targeting 100s of thousands of users? The bottom line does not change. It all begins with a user who is enticed to click a link. This begs the question – shouldn’t Google and Apple be doing more to address this for their entire customer base?” Kulkarni concludes.

Story via zdnet.com