FlyTrap Malware

FlyTrap Malware Description

A threatening attack campaign targeting Android users and aiming to collect their Facebook credentials has been going on for months apparently. The operation deployed a previously unknown malware threat that has been named FlyTrap. According to a report released by the researchers at Zimperium's zLabs, the FlyTrap has been able to compromise Facebook accounts of more than 10, 000 users spread across approximately 144 countries. The threat actor behind the campaign appears to be operating from Vietnam.

Distribution Techniques

The FlyTrap attack relied on numerous weaponized applications and employed social engineering tricks to lure its victims. The threatening applications were even available for download from the official Google Play store before being taken down. Now, they are spreading through third-party platforms and stores. So far, nine different applications delivering the FlyTrap malware have been detected - GG Voucher, Vote European Football, GG Coupon Ads, GG Voucher Ads, GG Voucher, Chatfuel, Net Coupon, a different Net Coupon and EURO 2021 Official. They pretend to offer lucrative rewards, such as Netflix or Google AdWords coupon codes, or try to engage users through popular events such as urging them to vote for their favorite team and players participating in the UEFA EURO 2020 that took place between June 11 and July 11, 2021. However, to access the supposed rewards, users were told to log in using their Facebook accounts. 

Threatening Functionality

When the user signs into the account, the FlyTrap malware activates and harvests the victim's geolocation, email address, IP address, Facebook ID, and the cookies and tokens related to the breached Facebook account. Afterward, the attackers could exploit the acquired information in multiple ways. They could launch disinformation campaigns, boost sponsored pages, or spread propaganda via all of the compromised accounts or propagate the FlyTrap malware even further by sending lure messages to the victim's contact list. The core technique of the threat is known as JavaScript injection. It involves the fake app opening a legitimate URL inside a WebView window that is configured to allow the injection of JavaScript code.