Android Malware Targeting Facebook Users Infects 300,000 Devices

The image shows a hand holding an Android phone against a blurred background
Android malware embedded within applications infects devices.
Source: Pexels

Android malware dubbed Schoolyard Bully Trojan has infected and extracted information from over 300,000 devices in 71 countries since 2018, the mobile security firm Zimperium zLabs reported. The apps were marketed as educational on Google Play Store and primarily targeted Facebook users in Vietnam. 

The report cautions that the apps, though now removed from the Google Play Store, are still available on third-party application stores. 

In addition to email addresses, phone numbers, passwords, usernames, and account IDs, the malware accessed users’ device information, like device names, RAM details, and API information.

How Did the Schoolyard Bully Android Malware Infect Devices?

The incident has the makings of a classic phishing attack. Malware-infected applications redirected unsuspecting victims to a fake Facebook login page where they could enter their login credentials.

Using a malicious Javascript code, the cybercriminals easily extracted sensitive information from the accounts logged in from the fake page. With the ‘ids m_login_email‘ and ‘m_login_password‘ variables extracted, the cybercriminals then gained users’ credentials.

Following data extraction, cybercriminals converted the data from Binary to ASCII. And using JSON to parse the data, they gained access to the Facebook account credentials. 

The image shows threads of colored code against a black screen
Cybercriminals obtain user information from social media websites using a Javascript code.
Source: Zimperium

Although the Javascript extraction is relatively simpler to detect, the Android malware itself was sophisticated enough to hide the activity from being detected by antivirus software, Zimperium blog release says. 

“The malware uses native libraries to hide from the majority of antivirus and machine learning virus detections,” the report stated. “The data is further encoded, to hide all the strings from any detection mechanisms. Apart from hiding its C&C details, these applications hide the educational data in a password-protected zip.”

A Series of Android OS Attacks

In a similar instance of a malware attack, cybercriminals compromised a number of Samsung, LG, and Mediatek certificates to sign Android malware, Android Partner Vulnerability Initiative (APVI) reported. The certificates have the highly privileged ‘android.uid.system’ user id, allowing system-level access to Android devices. 

The image shows colored lines of code on Notepad
Android OS is least protected OS that cybercriminals often use to launch malware-containing apps.
Source: The Bleeping Computer

Last week, an organization in the Bahamas targeted Android users with fake SoftVPN and OpenVPN applications, both of which are widely popular VPNs. Targeting several popular messaging platforms—including, WhatsApp, Signal, Viber, Telegram, and Messenger—the campaign spied on user accounts and extracted SMS messages, contacts, call logs, device location, and recorded phone calls. 

Reminiscent of the Schoolyard Bully Trojan attack, Zimperium, in 2021, reported on the FlyTrap Android malware, which affected 10,000 users who had unknowingly downloaded malware-laced applications from the Google Play Store. Affected users in that attack were also primarily Vietnamese. Although Zimperium claims the perpetrators of the two attacks were different, the tactics used were similar. 

Cybercriminals involved in the FlyTrap Android malware had also extracted Facebook credentials, but they had gone a step further and acquired location, cookies, and IP addresses as well. 

The package names for the 10 listed malware samples include:

  • com.russian.signato.renewis
  • com.sledsdffsjkh.Search
  • com.android.power
  • com.management.propaganda
  • com.sec.android.musicplayer
  • com.houla.quicken
  • com.attd.da
  • com.arlo.fappx
  • com.metasploit.stage
  • com.vantage.ectronic.cornmuni

Why Target Social Media Accounts?

Social media accounts, especially those on Meta’s platforms, are becoming easy targets for cyber attackers. Malicious actors who extract sensitive user information from these platforms then weaponize it to launch social engineering attacks. To appear credible when contacting their victims, cybercriminals need access to their sensitive personal information. 

Usually, cybercriminals call the victims and pretend to be government officials, and claim to have pulled their information from classified records. The objective is to dupe the unsuspecting victims into giving up further personal information like social security numbers or sensitive company information that would otherwise remain within a secure network. 

Since Android is less-protected than the iOS platform in terms of preventing cybercriminals from peddling fake applications, cybercriminals often use it to launch malware-containing applications on victims. 

Aside from Android’s laxity in blocking fake applications, cybercriminals also benefit from a common user habit of having the same password credentials across multiple online accounts

Android Smartphones & Social Media — Primary Security Risks

Social media platforms and Android OS are security risks for individuals and businesses.
Proceed with caution on social media applications.
Source: Pexels

The stark reality is that the majority of social applications are unsafe, and are teeming with cybercriminals. WhatsApp and Facebook are cybercriminals’ most targeted platforms. Overall, Meta has a bad track record of protecting user data and was recently fined €265 million for its negligence. On the other hand, 98% of mobile banking attacks target Android, and it’s the only mobile OS allowing users to side-load software. 

Android users may want to switch to more secure platforms to avoid falling victims to malware attacks. Alternatively, Android users could benefit from verifying and updating the applications on their phones.  

Why Does This Matter to Business Owners?

Cybercriminals don’t have to attack entire networks. Instead, they look for obvious gaps and known security vulnerabilities. For them to bring down a network, all they need is one employee clicking on a simple phishing or spam link on their smartphone or social media account.  

Employees using Facebook on Android smartphones are easy targets for social engineering scams. And in the process, they may end up exposing their companies’ networks and sensitive information to malicious actors. 

This has happened time and time again and is the easiest way to penetrate a network. To prevent this from happening, business owners would be well advised to implement more comprehensive security solutions that include a next-generation firewall, threat detection system, web content filtering, application filtering, and VPN. 

Another major security risk for companies arises when smartphones are able to connect to the Wi-Fi. If a company can’t restrict smartphone access to the Wi-Fi, it needs to have a strong endpoint management to assess all connected devices and to patch security vulnerabilities accordingly. 

As illustrated by this recent attack, open-source operating systems and mainstream social media applications are conduits for sophisticated scams. The Schoolyard Bully Trojan was a two-frontal attack, in which the cybercriminals exploited the biggest (and least secure) mobile OS, Android, and the biggest (and least secure) social media platform, Facebook.  

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top