According to a report published today by Zimperium’s zLabs and shared with The Hacker News, the malware, dubbed “FlyTrap,” is believed to be part of a family of trojans that use social engineering tricks to breach Facebook accounts as part of a session hijacking campaign orchestrated by malicious actors operating out of Vietnam.

Fraudulent apps sold through Google Play Store and other third-party app marketplaces have been identified to hack Facebook accounts of over 10,000 users in at least 144 countries since March 2021.

“Sideloaded programs pose a danger to mobile endpoints and user data,” Zimperium malware researcher Aazim Yaswant stated. Although the nine problematic applications have since been removed from Google Play, they are still available in third-party app marketplaces. The following is a list of applications:

  • GG Voucher (com.luxcarad.cardid)
  • Vote European Football (com.gardenguides.plantingfree)
  • GG Coupon Ads (com.free_coupon.gg_free_coupon)
  • GG Voucher Ads (com.m_application.app_moi_6)
  • GG Voucher (com.free.voucher)
  • Chatfuel (com.ynsuper.chatfuel)
  • Net Coupon (com.free_coupon.net_coupon)
  • Net Coupon (com.movie.net_coupon)
  • EURO 2021 Official (com.euro2021)

To cast a vote or collect a coupon code or credits, users must log in with their Facebook accounts in the malicious apps. The apps also claim to offer Netflix and Google AdWords coupon codes and to let users vote for their favorite teams and players at UEFA EURO 2020, which took place between 11 June and 11 July 2021.

On sign-in, FlyTrap malware can access a victim’s ID on Facebook as well as his or her current geographic coordinates and email and IP addresses. Threat actors can then use this information to launch disinformation campaigns or spread malware via social engineering techniques, such as sending personal messages.

By inserting malicious [Javascript] code, Yaswant’s program opens the legitimate URL inside a WebView equipped with the ability to inject JavaScript code.

Also read,

While the exfiltrated data is hosted on a command-and-control (C2) infrastructure, security flaws found in the C2 server could be exploited to expose the entire database of stolen session cookies to anyone on the internet, thereby putting the victims at further risk.

According to Yashwant, “malicious threat actors are taking advantage of widespread user misunderstandings that entering into the correct domain is always secure, regardless of the application used to log in.” “The targeted domains are major social media platforms, and this effort has been extraordinarily efficient in gathering social media session data of individuals from 144 countries.