Coupon codes for Netlifx or Google AdWords? Voting for the best football team? Beware: Malicious apps offering such come-ons could inflict a new trojan.
Researchers have uncovered a new Android trojan, dubbed FlyTrap, that’s spread to more than 10,000 victims via rigged apps on 3rd-party app stores, sideloaded apps & hijacked Facebook accounts.
In a report posted on Mon., Zimperium’s zLabs mobile threat research teams wrote that FlyTrap has spread to at least 144 countries since March, via malicious apps distributed through Google Play store & 3rd-party app marketplaces.
Vietnam
The malware, which researchers have traced to operators working out of Vietnam, is part of a family of trojans that use social engineering to take over Facebook accounts, the researchers stated.
The session-hijacking campaign was initially distributed via Google Play as well as 3rd-party app stores. Google Play removed the malicious apps after Zimperium zLabs notified about them.
They are, however, still being distributed on 3rd-party, unsecured app stores, “highlighting the risk of sideloaded applications to mobile endpoints & user data,” Zimperium pointed out.
Bad Apps
These are the 9 bad apps:
- GG Voucher (com.luxcarad.cardid)
- Vote European Football (com.gardenguides.plantingfree)
- GG Coupon Ads (com.free_coupon.gg_free_coupon)
- GG Voucher Ads (com.m_application.app_moi_6)
- GG Voucher (com.free.voucher)
- Chatfuel (com.ynsuper.chatfuel)
- Net Coupon (com.free_coupon.net_coupon)
- Net Coupon (com.movie.net_coupon)
- EURO 2021 Official (com.euro2021)
How You Get Stuck in FlyTrap
The threat players use a variety of lures: Free Netflix coupon codes, Google AdWords coupon codes, & voting for the best football/soccer team or player. They’re not only enticing; they’re slick, too, with high-quality graphics – all the better to hide what they’re doing behind the scenes.
“Just like any user manipulation, the high-quality graphics & official-looking login screens are common tactics to have users take action that could reveal sensitive information,” zLabs researchers explained. “In this case, while the user is logging into their official account, the FlyTrap Trojan is hijacking the session information for malicious intent.”
Netflix & Google AdWords
The bad apps purport to offer Netflix & Google AdWords coupon codes, or to let users vote for their favourite teams & players at UEFA EURO 2020: The 4 yearly Euros, European soccer championship that finished on July 11 (delayed a year by COVID-19).
1st, before the malware apps give out the promised goodies, targeted users are told to log in with their Facebook accounts to cast their vote or collect the coupon code or credits.
There are, of course, no free Netflix or AdWords coupons or codes, & there’s no fav-football voting there. Rather, the malicious apps are just after Facebook credentials. They make an attempt to look legitimate by throwing up a message saying that the coupon or code expired “after redemption & before spending.”
FlyTrap Gets Busy
After a fooled Android user hands over their Facebook credentials, the apps get busy sucking up details that include:
- Facebook ID
- Location
- Email address
- IP address
- Cookies & tokens associated with the Facebook account
Then, the trojan uses victimised accounts to spread, making it look like the real owners are sharing legitimate posts, zLabs researchers explained.
“These hijacked Facebook sessions can be used to spread the malware by abusing the victim’s social credibility through personal messaging with links to the Trojan, as well as propagating propaganda or disinformation campaigns using the victim’s geolocation details,” they wrote.
Highly Effective
“These social-engineering techniques are highly effective in the digitally connected world & are used often by cyber-criminals to spread malware from 1 victim to another.”
Similar campaigns include Silent Fade: a malware campaign linked to Chinese actors that targeted Facebook’s ad platform for years & siphoned $4m from users’ advertising accounts, using the compromised accounts to promote malicious ads, steal browser cookies etc.
More recently, a similar malware – a password- & cookie-stealer named CopperStealer – was found to have been compromising Amazon, Apple, Google & Facebook accounts since 2019, then using them for additional cyber-criminal activity.
How FlyTrap Snaps
FlyTrap uses JavaScript injection to hijack sessions by logging into the original & legitimate domain. Its bad apps open the legit domain inside a WebView, & then it injects malicious JavaScript code that enables the extraction of targeted information – i.e., cookies, user account details, location & IP address.
FlyTrap’s command-&-control (C2) server uses the pilfered login credentials to authorise access to the harvested data. However, it gets worse: zLabs found that the C2 server has a misconfiguration that could be exploited to expose the entire database of stolen session cookies “to anyone on the internet,” which would further endanger victims, the researchers observed.
Credential-Stealing
There’s nothing new about credential-stealing from mobile devices, the researchers noted: After all, mobile endpoints “are often treasure troves of unprotected login information to social media accounts, banking applications, enterprise tools & more.”
In fact, FlyTrap’s tools & techniques are so effective, don’t be surprised if some malicious actor picks it up & retrofits it – or “any other trojan” – to go after even more critical information, they outlined.
2-Legged Sort of Vulnerability
Security experts gave grudging respect to the creator(s) of FlyTrap, whose success relies in large part on tickling the “oh boy!” parts of our brains.
Setu Kulkarni, VP of Strategy at app sec firm NTT Application Security, called the malware a “nifty combination of a handful of ‘vulnerabilities:’ the human vulnerability to click before you think, a software vulnerability to allow JS injection, the abundance of meta-data open to access, such as location, & finally the implicit trust that can be gained by clever yet dubious association with the likes of Google, Netflix, etc.”
Trojan
That’s not the worst of it, he explained. It’s the network effect this type of trojan can generate, spreading from user to user. Zimperium’s what-if situations could go even further than FlyTrap being tweaked so as to enable it to exfiltrate more critical information such as banking credentials.
“What-if this type of trojan is now offered as-a-service or what-if this transforms quickly into ransomware targeting 100s of 1,000s of users?” he suggested.
“The bottom line does not change. It all begins with a user who is enticed to click a link. This begs the question – shouldn’t Google and Apple be doing more to address this for their entire customer base?”
Technical Vulnerabilities
Shawn Smith, Director of Infrastructure at app security firm nVisium, explained that FlyTrap & its kind show that you don’t need technical vulnerabilities to come up with a winning attack vector, as in, the user. “We need to impress the importance of doing a little research before just clicking links,” he observed.
“This malware spreads mainly by promising coupons and voting for the user’s favourite interests from these links.
Twitter Scandal
Other similar & more recent situations like this include a Twitter scandal that involved high-profile accounts being hacked & used to lure people to give them money. It’s this social engineering aspect behind these attacks which is the most concerning & dangerous.
“We can only do so much by securing our technology alone, & users need to be educated to spot social engineering attacks so they can better protect themselves & their friends.”
Shield Your Android
Richard Melick, Zimperum’s Director of Product Marketing for Endpoint Security, outlined that Android users can immediately decrease their chance of infection by ensuring that they’re disallowing installation of any app from an untrusted source to be installed.
While the setting is turned off by default on most Android devices, social-engineering techniques are “highly effective at tricking users into allowing it,” he explained.
To disable unknown sources on Android, go to settings, choose “security,” & make sure that the “unknown sources” option isn’t selected.
Multi-Factor Authentication
Melick also recommended that users enable multi-factor authentication (MFA) for all social-media accounts & any other accounts with access to sensitive & private data.
“While this will not stop this kind of hack, it adds additional security layers such as geo-based alerts” to the user’s profile, he advised – i.e., “This account is trying to log in from Vietnam.”
If an Android user suspects that a Facebook account has been connected to a malicious party, Melick advised to follow Facebook instructions to log out of all accounts on all devices, immediately change their passwords & enable MFA if not already in use.
Suspicious
In general, be suspicious about grabby apps, Melick advised. “Overall, it is about being aware of what an application is asking for,” he observed.
“If you need to connect your social media accounts to get access to the coupon or deal, pause & ask why. What could that site/coupon company now use that data for? What will they be able to do with your account?
Do they really need that to give you a deal? When the connection is established, your data can be easily taken & used without your consent.”
https://www.cybernewsgroup.co.uk/virtual-conference-september-2021/