More than 300,000 customers throughout 71 international locations have been victimized by a brand new Android risk marketing campaign known as the Schoolyard Bully Trojan.
Mainly designed to steal Facebook credentials, the malware is camouflaged as professional education-themed purposes to lure unsuspecting customers into downloading them.
The apps, which had been accessible for obtain from the official Google Play Store, have now been taken down. That stated, they nonetheless proceed to be accessible on third-party app shops.
“This trojan makes use of JavaScript injection to steal the Facebook credentials,” Zimperium researchers Nipun Gupta and Aazim Bill SE Yaswant stated in a report shared with The Hacker News.
It achieves this by launching Facebook’s login web page in a WebView, which additionally embeds inside it malicious JavasCript code to exfiltrate the person’s telephone quantity, e mail deal with, and password to a configured command-and-control (C2) server.
The Schoolyard Bully Trojan additional makes use of native libraries equivalent to “libabc.so” in order to keep away from detection by antivirus options.
While the malware singles out Vietnamese language purposes, it has additionally been found in a number of different apps accessible in over 70 international locations, underscoring the dimensions of the assaults.
The findings come greater than a yr after Zimperium unearthed related exercise geared toward compromising Facebook accounts by rogue Android apps as a part of a marketing campaign codenamed FlyTrap.
“Attackers may cause lots of havoc by stealing Facebook passwords,” Richard Melick, director of cellular risk intelligence at Zimperium, stated. “If they will impersonate somebody from their professional Facebook account, it turns into extraordinarily simple to phish pals and different contacts into sending cash or delicate data.”
“It’s additionally very regarding how many individuals reuse the identical passwords. If an attacker steals somebody’s Facebook password, there is a excessive likelihood that very same e mail and password will work with banking or monetary apps, company accounts and a lot extra.”