Photo by Rafapress / Shutterstock.com
Researchers at Zimperium have discovered an Android malware named ‘Schoolyard Bully’ active since at least 2018 attempting to steal Facebook accounts from infected devices. According to their report, the malware has infected at least 300,000 devices in 71 countries.
As many as 38 apps were found to be associated with the campaign and were openly available on the Google Play Store but have since been removed. That said, Zimperium reports that apps are still distributed via third-party app stores and websites.
The malware gets its name from the apps using it, which impersonates harmless educational apps. However, since the main goal of the malware is to steal Facebook credentials, these apps use a legitimate Facebook login page to steal user data, including credentials, account ID, username, device name, device RAM and device API.
The app injects JavaScript into legitimate Facebook login pages as Android apps use WebView, a built-in web rendering engine, to show webpages inside apps. JavaScript can be inserted into pages using the evaluateJavascript method and targets the ids m__login__email and m__login__password fields, which are placeholders for the email address and password fields.
The apps use native libraries to hide the malicious code from security analysis tools. A native library called libabc.co is used to store the C&C server data, which is further encoded to hide all strings from any detection mechanisms. These apps also hide the educational content they claim to share in a password-protected Zip file stored in libabc.co alongside the C&C details.
The threat actor behind the trojan is also yet to be determined. That said, the researchers couldn’t find any links between Schoolyard Bully and the FlyTrap Operation, a similar malware that also attempted to Facebook accounts but instead focused on Vietnam.
In the News: Twitter suspends Nazi-sympathiser Ye; Parler deal collapses