Mobile security company Zimperium’s zLabs has released a warning about a notorious Android trojan that has stolen around 300,000 credentials of Facebook users.

According to zLabs, Schoolyard Bully malware is the name of malware used in a brand-new Android threat campaign that has been active since at least 2008. The attackers specifically target Facebook user credentials, and the malware is found in several applications downloaded from third-party app stores and the Google Play Store.

The malware’s primary targets are based in Vietnam. However, zLabs researchers claim that over 300,000 victims have been identified so far, and they are located in 71 different countries since the apps were available via third-party app stores while Google Play Store has removed them from its official store.

Trojan Details

Schoolyard Bully malware is delivered via harmless-looking Android apps, mostly educational apps. Malicious code is hidden inside these apps, which can steal Facebook credentials and upload them to the Firebase C&C for threat actors. The trojan relies on JavaScript injections to display phishing pages that lure users into handing over their Facebook username/password. 

Threat actors leverage the trojan to obtain user credentials and successfully access financial accounts. Around 64% of the users used the same passwords already exposed in an earlier breach. Perhaps, this has allowed the trojan to remain active for years.

To remain hidden from antivirus software and machine learning virus detections, Schoolyard Bully Trojan uses native libraries such as libabc.so to store the stolen data. Data strings are hidden from detection software through further encoding. Moreover, the malicious educational apps are hidden in a password-protected ZIP.

Credentials of Over 300,000 Facebook Users Targeted by Schoolyard Bully Android Malware
Malicious apps (left) – Facebook phishing page (right) – Image credit: Zimperium

What Date can be Stolen?

The Schoolyard Bully malware can steal sensitive data from innocent users’ Facebook accounts, including user ID, password, email ID, phone number, Facebook profile name, Facebook ID, and device-related information such as device RAM and API.

Zimperium researchers have released technical information about the campaign and its indicators of compromises, which can help detect Schoolyard Bully malware.

  1. 9 apps with 6M installs stole Facebook logins of Android users
  2. Mandrake Android malware stealing Facebook, crypto data since 2016
  3. Fake Netflix, WhatsApp, Facebook Android Apps Contain SpyNote RAT
  4. Facebook removes 100s of accounts for spreading iOS, Android malware
  5. Cookiethief Android malware hacks Facebook accounts without password


Source link