Logging in to the right domain doesn’t always guarantee security, something users don’t always seem to realize, according to researchers at Zimperium zLabs. Over the last six months, the researchers detailed multiple instances of a new Android Trojan, FlyTrap, that has hit more than 10,000 victims via social media hijacking, third-party app stores and sideloaded applications.
The malware belongs to a Trojan family that uses social engineering tricks to compromise Facebook accounts and has harvested the social media data of users in 144 countries, sometimes using the accounts as a botnet to increase the popularity of pages, sites or products to spread misinformation or political propaganda.
“While this incident targeted Facebook accounts, the same tactics are used to steal corporate login credentials by building a campaign targeting users on collaboration platforms like Google Workspace or Microsoft 365,” said Hank Schless, senior manager, security solutions, Lookout. Attackers could then take those credentials and log in to these platforms.
Attackers use high-quality graphics and official-looking login screens to prompt users to take action and cough up sensitive information. “In this case, while the user is logging into their official account, the FlyTrap Trojan is hijacking the session information for malicious intent,” the researchers wrote in a blog post.
Adversaries used a number of schemes to lure victims—offering coupon codes for free Netflix or Google AdWords; asking users to vote for the best sports team or player.
“Malware like FlyTrap shows us that even when there are no technical vulnerabilities in a system, there is still a viable attack vector,” said Shawn Smith, director of infrastructure at nVisium. “This vector is the user of the system. As we continue to become more connected through the internet, we need to impress the importance of doing a little research before just clicking links.”
Smith noted that “similar recent situations like this include a Twitter scandal that involved high-profile accounts being hacked and used to lure people into giving them money. It’s this social engineering aspect behind these attacks which is the most concerning and dangerous.”
FlyTrap was initially found in Google Play and third-party app stores and tried to get users to download and trust certain applications. Once the malicious application is installed, it displays pages that ask users for a response.
“While concerning, it is not surprising. This is a nifty combination of a handful of ‘vulnerabilities’: the human vulnerability to click before you think, a software vulnerability to allow JS injection, the abundance of metadata open to access, like location, and finally, the implicit trust that can be gained by clever yet dubious association with the likes of Google, Netflix etc.,” said Setu Kulkarni, vice president, strategy, at NTT Application Security. “This is not even the most concerning bit—the concerning bit is the network effect this type of Trojan can generate by spreading from one user to many.”
Zimperium’s findings suggest that “this Trojan could be evolved to exfiltrate significantly more critical information, like banking credentials,” Kulkarni said. “The ‘what-if’ scenarios don’t end there, unfortunately. What if this type of Trojan is offered as a service? Or, what if this transforms quickly into ransomware targeting hundreds of thousands of users?”
The malicious actors are likely operating out of Vietnam, according to Zimperium. And while the researchers reported their findings to Google which removed the apps from Google Play, they’re “still available on third-party, unsecured app repositories, highlighting the risk of sideloaded applications to mobile endpoints and user data.”
This problem is not solved by tech alone, of course. Users need to bone up on how to protect themselves, and companies need to keep hammering awareness into their stubborn little heads. But app stores need to up their efforts as well.
“The bottom line does not change. It all begins with a user who is enticed to click a link,” Kulkarni said. “This begs the question—shouldn’t Google and Apple be doing more to address this for their entire customer base?”