Threat Database Mobile Malware Schoolyard Bully Mobile Malware

Schoolyard Bully Mobile Malware

Cybercriminals have been targeting the Facebook credentials of unsuspecting Android users as part of an attack campaign that has been going on since at least 2018. The threat actors are using a previously unknown mobile malware tracked as Schoolyard Bully Trojan. The malicious campaign has managed to compromise the Android devices of more than 300, 000 users spread across 71 countries. Most victims, however, have been identified to be located in Vietnam. The harvested data is sent to a Firebase C&C (Command and Control) server. Details about the threat and the attack campaign were unveiled ina report by the infosec experts at Zimperium zLabs.

The Schoolyard bully threat is spread under the guise of seemingly legitimate apps. The malicious applications pose as educational tools or apps that provide users access to a wide range of books from numerous different genres. Some of these weaponized apps were even able to temporarily bypass the security protections of the official Google Play Store and be available for download. Google has removed the Schoolyard Bully apps, but users could still get infected if they download them from a less safe third-party app store or platform.

Malicious Capabilities

Schoolyard Bully is designed specifically to steal the Facebook credentials of its victims. More specifically, the Trojan will try to compromise victims' email, phone number, password, ID, and real name. An additional malicious function will send even more details (Facebook credentials, Facebook name, device API, device RAM, device name) to a dedicated server controlled by the attackers.

To hide its presence from being picked up by security solutions, the threat utilizes native libraries. Schoolyard Bully uses the same technique to store its C&C data as a native library named '' The threat also encodes all of its strings as an additional mechanism against detection. To steal the victim's credentials, the malware opens the legitimate URL within WebView, where a malicious javascript injection will extract the targeted user's data. The threat uses the 'evaluateJavascript' method as a way to carry out the code injection.


Most Viewed