A newly discovered Android Trojan is believed to have more than 10,000 victims through social media hijacking, third-party app stores and sideloaded applications.

Detailed today by researchers at Zimperium Inc.’s lab, the malware, dubbed “FlyTrap,” employs social engineering tricks to compromise Facebook accounts. it was found to have come from Vietnam, with malicious actors running the session hijacking campaign since March.

FlyTrap is distributed through malicious applications that were initially distributed through both the Google Play store and third-party applications stores. After the researchers reported their findings to Google, the malware was identified and removed from Google Play but continues to be available on other, unsecured app repositories.

The malicious applications used to ensnare victims include apps that provide free Netflix coupon codes, Google AdWords coupons and voting for the best soccer team or player. The applications trick users into downloading and trusting the applications with high-quality designs. Once installed, the malicious application displays pages to engage the victim until asking a user to log in to their Facebook account to cast a vote or collect a coupon code.

FlyTrap uses JavaScript injection to open a legitimate URL inside a WebView. The script is configured with the ability to extract information such as cookies, user account details, location and IP address.

The researchers noted that the same technique could be easily be used to target log in details from other more critical applications.

“While concerning, it is not surprising,” Setu Kulkarni, vice president of strategy at application security provider NTT Security AppSec Solutions Inc. told SiliconANGLE. “This is a nifty combination of a handful of ‘vulnerabilities’: the human vulnerability to click before you think, a software vulnerability to allow JS injection, the abundance of meta-data open to access like location and finally the implicit trust that can be gained by clever yet dubious association with the likes of Google, Netflix etc.”

“This is not even the most concerning bit – the concerning bit is the network effect this type of trojan can generate by spreading from one user to many,” Kulkarni added. “Moreover, as the summary of Zimperium’s findings state, this trojan could be evolved to exfiltrate significantly more critical information like banking credentials.”

Hank Schless, senior manager of security solutions at endpoint-to-cloud security company Lookout Inc., agreed, noting that the same tactics can be used to steal corporate login credentials by building a campaign targeting users on collaboration platforms such as Google Workspace or Microsoft 365.

“This highlights how important it is to have a security solution that uses mobile security as a cornerstone aspect of a greater cloud security strategy,” Schless explained. “Integrating mobile threat intelligence with cloud access security broker and zero-trust network access capabilities is the only way to fully protect your enterprise organization in today’s complex threat landscape.”

Shawn Smith, director of infrastructure at application security provider nVisium LLC, noted that malware such as FlyTrap shows that even when there are no technical vulnerabilities in a system, there is still a viable attack vector.

“This vector is the user of the system,” Smith said. “As we continue to become more connected through the internet, we need to impress the importance of doing a little research before just clicking links.”

Photo: CCnull