A new Android threat that researchers call FlyTrap has been hijacking Facebook accounts of users in more than 140 countries by stealing session cookies.
FlyTrap campaigns rely on simple social engineering tactics to trick victims into using their Facebook credentials to log into malicious apps that collected data associated with the social media session.
Researchers at mobile security company Zimperium spotted the new piece of malware and found that the stolen information was accessible to anyone who discovered FlyTrap’s command and control (C2) server.
Attract with high-quality apps
FlyTrap campaigns have been running since at least March. The threat actor used malicious applications with a high-quality design, distributed through Google Play and third-party Android stores.
The lure consisted of free coupon code offers (for Netflix, Google AdWords) and voting for your favorite soccer team or player, in tune with the long-overdue UEFA Euro 2020 competition.
In order to get the promised reward, it was necessary to log into the application with the Facebook credentials, and the authentication was done in the legitimate domain of social networks.
All information collected in this way goes to FlyTrap’s C2 server. More than 10,000 Android users in 144 countries were victims of this social engineering.
The numbers come directly from the command and control server, which the researchers were able to access because the database with the stolen Facebook session cookies was exposed to anyone on the Internet.
Zimperium’s Aazim Yaswant says in a blog post today that FlyTrap’s C2 server had multiple security vulnerabilities that made it easy to access stored information.
The researcher points out that accounts on social media platforms are a common target for threat actors, who can use them for fraudulent purposes, such as artificially increasing the popularity of pages, sites, products, misinformation or a political message.
It highlights the fact that phishing pages that steal credentials are not the only way to log into an online service account. Logging into the legitimate domain can also carry risks.
Despite not using a new technique, FlyTrap managed to hijack a significant number of Facebook accounts. With a few modifications, it could become a more dangerous threat to mobile devices, says the researcher.