Social Media Hijacking: 10,000 Victims in 140 Countries hit by Android Trojan

According to a report, cybersecurity firm Zimperium has identified a new malware Android Trojan that has hit more than 10,000 victims in more than 100 countries.

Named FlyTrap, the trojan, has been able to spread through “social media hijacking, third-party app stores, side-loaded applications” since March.

The malware was first spotted by Zimperium’s zLabs mobile threat research teams that figured out that it uses social engineering ruses to affect Facebook accounts. The malware hijacks social media accounts by infecting Android devices, letting attackers gather information from victims like Facebook ID, location, email address and IP address as well as cookies and tokens tied to your Facebook account. “These hijacked Facebook sessions can be used to spread the malware by abusing the victim’s social credibility through personal messaging with links to the Trojan, as well as propagating propaganda or disinformation campaigns using the victim’s geolocation details,” the Zimperium researchers wrote.

The researchers ascribed the malware to groups based in Vietnam, saying they are able to distribute it using Google Play and other app stores. A report about the malware was sent to Google which verified it and then removed all of the applications from the store.

But the report observes that three of the applications are still available on “third-party, unsecured app repositories.”
Once victims are persuaded to download the app through misleading designs, the app urges users to engage and finally asks for people to enter their Facebook account information in order to vote on something or collect coupon codes. Once the data is entered, the app takes victims to a screen that says the coupon has already expired.

Vice president at NTT Application Security Setu Kulkarni said FlyTrap was a great combination of a few of susceptibilities and exploited the profusion of meta-data open to access, like location, as well as the implied trust that can be gained by crafty yet doubtful associations with companies like Google, Netflix and others.