By acquiring session cookies, a new Android threat known as FlyTrap has been hijacking Facebook accounts of people in over 140 countries.
FlyTrap campaigns use basic social engineering techniques to mislead users into logging into malicious applications using their Facebook credentials, which then gather data from the social media encounter. The new piece of malware was uncovered by researchers at mobile security firm Zimperium, who determined that the stolen information was accessible to anybody who accessed FlyTrap’s command and control (C2) server.
Since at least March, FlyTrap campaigns have been operating. The threat operator utilised well-designed malicious apps that were distributed via Google Play and third-party Android platforms. The enticement included free coupon codes (for Netflix, Google AdWords) and voting for one’s favourite soccer club or player, in honour of the UEFA Euro 2020 competition, which has been postponed.
Obtaining the promised prize necessitated enrolling into the app with Facebook credentials, with authentication taking place on the official social network site.
The malicious applications can’t gather users’ credentials since they use the legitimate Facebook single sign-on (SSO) service. Instead, FlyTrap harvests other sensitive data through JavaScript injection : “Using this technique, the application opens the legit URL inside a WebView configured with the ability to inject JavaScript code and extracts all the necessary information such as cookies, user account details, location, and IP address by injecting malicious JS code”
All of the data gathered this manner is sent to FlyTrap’s C2 server. This social engineering affected almost 10,000 Android users in 144 countries. The data comes directly from the command and control server, whereby the researchers were able to obtain since the database containing the stolen Facebook session cookies was made public.
FlyTrap’s C2 server, according to Aazim Yaswant of Zimperium, had several security flaws that enabled access to the stored information, according to a blog post published. According to the study, social media accounts are a typical target for threat actors, who might use them for fraudulent objectives such as artificially inflating the popularity of pages, sites, or items, spreading misinformation, or a political campaign.
He emphasises that phishing pages that steal credentials aren’t the only way to enter into an online service’s account. Logging onto a legal domain has its own set of dangers. Despite without employing any novel techniques, FlyTrap was able to take over a large number of Facebook accounts. It may become a more serious threat for mobile devices with a few tweaks, according to the researcher.