Here comes a new android threat that investigators call FlyTrap has been hijacking the Facebook accounts of users in more than 140 countries by stealing its session cookies. FlyTrap operation relies on simple social engineering tactics to manipulates victims into using their Facebook credentials to log into leverages applications that collected information associated with the social media sessions.

Investigators at mobile security organization Zimperium analyzed the new piece of malware and discover that the hijacked data was accessible to anyone who founded FlyTrap’s command and control (C2) server.

Fascinating with High-Quality Applications    

FlyTrap operations have been conducting since at least March. The attackers used malicious applications with high-quality design, distributed through Google Play and the third-party Android stores. The lure includes the offers for free coupon codes (for Netflix, Google AdWords) and voting for the favorite soccer team or player, in tune with the delayed UEFA Euro 2020 competition.

Getting the promised reward needed logging into the applications using Facebook credentials, authentication occurring on the appropriate social media domain. Since the malicious applications use the real Facebook single sign-on (SSO) service, they can’t collect users’ credentials. Instead, FlyTrap relies on JavaScript insertion to yield other sensitive information.

“By utilizing this technique, the application launches the authorized URL inside a WebView configured with the ability to insert JavaScript code and extracts all the important data such as cookies, user account details, location, and IP address by inserting malicious JS code.”

All the data collected this way goes to FlyTrap’s C2 server. More than 10,000 Android users in 144 countries fell victim to this social engineering. The numbers come straight from the command and control server, which the investigators were able to access because the database with the hijacked Facebook session cookies was revealed to anyone on the internet.

How many Android Users are Infected?

 Zimperium’s Aazim Yaswant states in a blog post today that FlyTrap’s C2 server had multiple security vulnerabilities that provide access to the stored data. The investigator notes that accounts on social media platforms are a common target for threat actors, who can use them for the fraudulent purpose like artificially boosting the popularity of pages, sites, products, misinformation, or a political message.

He also mentions the fact that phishing pages that hijack passwords are not the only way to log into the account of an online service. Logging onto the appropriate domain can also come with risks.

“Just like any user manipulation, the high-quality graphics and official-looking login screens are common tactics to have users take action that could reveal sensitive information. In this case, while the user is logging into their official account, the FlyTrap Trojan is hijacking the session information for malicious intent” – Aazim Yaswant, Android malware researcher, Zimperium.

Despite not using the new tactic, FlyTrap handles to steal a significant number of Facebook accounts. With a few modifications, it could turn into a more dangerous threat for mobile devices, the investigators said.