Researchers discover ‘Schoolyard Bully’ Android malware that steals Facebook logins of 300,000 users

Researchers discover ‘Schoolyard Bully’ Android malware that steals Facebook logins of 300,000 users

Security researchers at mobile security company Zimperium discovered an Android malware variant on the Google Play Store and third-party app stores targeting victims’ Facebook logins. Malware called ‘Schoolyard Bully’ has spread to over 300,000 victims in more than 71 countries.

The “Schoolyard Bully Trojan” apps masquerade as legitimate educational apps that offer free books on various topics. However, they include an authentication option that opens a legitimate Facebook login page in a webview injected with malicious JavaScript code. The code extracts the user’s phone number, email address and password and posts the data to the threat actors’ command and control server (C2) configured with Firebase.

“Malicious code was hidden within these apps, but in reality they were able to steal Facebook credentials to upload to threat actors’ Firebase C&C,” the researchers wrote in a blog post.

Android malware uses native libraries to hide from antivirus

According to researchers from Zimperium zLabs, the Android malware uses native libraries to avoid antivirus software solutions that use machine learning virus detection. In addition, the malicious apps use similar tactics as the native library to store the stolen Facebook logins and encode strings to prevent detection. They also deliver educational materials in password-protected ZIP files with the password and stolen user details stored in the library.

Android malware targets Facebook logins (email/phone number and password), user ID and profile name from compromised Facebook accounts, and device-related information such as device name, RAM, and API.

Although the Schoolyard Bully malware primarily targets Android users in Vietnam, Zimperium researchers discovered the Android threat campaign in 71 countries. Zimperium also identified at least 37 apps that have since been removed from the Google Play Store but are still found in third-party stores.

See also  North Korean cyber attacks target South Korean political experts

According to the threat intelligence firm, the Android malware campaign has been active since 2008.

“Although Google has improved its defenses against malware scanning in the Google Play Store, malicious apps like this still slip into the store and achieve thousands or even millions of downloads before their malicious payloads are detected,” said Chris Hauk, consumer privacy advocate at Pixel Privacy. “While apps like this can still cause problems in the Store, it’s still safer than loading apps onto your Android device from external sources.”

Hauk advised Android users to periodically run antivirus and anti-malware software to detect malicious apps: “I personally use Malwarebytes, but there are several quality security packages available for Android devices,” he said. “Malware scanning can help Android users detect previously unknown malicious apps that may be installed on their devices.”

Threat actors compromise financial accounts using stolen Facebook logins

The researchers warned that threat actors could misuse the stolen Facebook account credentials to gain access to victims’ financial accounts. The impact of stolen Facebook logins is significant as users can log into other online services using their social media accounts, while 64% of users reuse passwords leaked in previous breaches.

However, the researchers did not identify the threat actor behind the Android malware campaign, but discovered a similar campaign called FlyTrap carried out by Vietnamese threat actors.

“However, our researchers have determined that the threat actors in the two campaigns are distinct and operating independently based on the differences found in the code samples,” they suggested.

See also  Web3 security opportunities and the lessons we must learn from Web2

Zimperium zLabs published the Indicators of Compromise (IoC) list to help users and researchers detect and isolate the Android malware variant.

According to Paul Bischoff, privacy lawyer at Comparitech, the social media giant could do nothing to protect Android users who installed apps that steal Facebook logins.

“If you install a malicious app to steal information on your device, there is nothing Facebook can do to protect your account from being hacked,” Bischoff said. “Although this was an attack on Facebook users, it does not exploit a Facebook vulnerability.”

#Security researchers discovered an #Android #malware active since 2008 in the Google Play Store and third-party app stores that stole Facebook logins of 300,000 users in 71 countries. #respectdataClick to tweet

Bischoff advised users to enable multi-factor authentication to prevent hackers from taking over their accounts should their Facebook logins be compromised. Bischoff also advised Android users to avoid third-party app stores and only download apps from the Google Play Store.

“Google Play checks all the apps uploaded to it and ensures that you get the authentic, latest version, as opposed to an older vulnerable version or one corrupted with malware. Google Play isn’t perfect – apps on Google Play were infected with Schoolyard Bully – but it’s better than the alternatives and quick to act when alerted to a malicious app.”

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *