Malware Hacks Thousands Of Facebook Accounts

Malware Hacks Thousands Of Facebook Accounts

An Android Trojan has been discovered to compromise over 10,000 Facebook accounts in at least 144 countries since March, 2021. This was done through distribution of fraudulent apps through Google Play Store and other third party app marketplaces.

This new Trojan, known as "FlyTrap", previously undocumented, is now believed to be associated with a family of Trojans that utilize social engineering tricks to breach accounts in Facebook as a part of a hijacking session campaign which was orchestrated by cyber criminals operating out of Vietnam, according to reports published by Zimperium's zLabs.

The nine offensive applications have been removed from Google Play Store but they are still available in third party app stores which increases the risk of sideloading applications to mobile endpoints and user data. The list of applications are:

  •         GG Voucher (com.luxcarad.cardid)
  •         GG Voucher Ads (com.m_application.app_moi_6)
  •         Vote European Football (com.gardenguides.plantingfree)
  •         GG Coupon Ads (com.free_coupon.gg_free_coupon)
  •         Chatfuel (com.ynsuper.chatfuel)
  •         GG Voucher (
  •         Net Coupon (
  •         Net Coupon (com.free_coupon.net_coupon)
  •         EURO 2021 Official (com.euro2021)

The malicious apps offer Netflix and Google AdWords coupons and lets users vote for their favourite players and teams in the EURO 2021, which took place from 11 June to 11 July 2021. The conditions for casting votes was to login using their Facebook accounts.

Once signed in, the malware is designed to pilfer the person's Facebook ID, email address, location, IP address, and tokens and cookies associated with the Facebook account, hence enabling the attacker to perform disinformation campaigns using the target's geolocation details or further propagation of the malware via the personal messages containing links to the Trojan.

The malware has an ability for JavaScript code injection. It opens the legit URL inside a WebView, injects the code and extracts all the target information like cookies, IP address, email, etc.

The exfiltrated data that is being hosted on a C2 infrastructure, the exploitation of the security flaws found in the C2 server can expose the entirety of the database of stolen cookies to anyone with access to the internet. This puts the victims at an even greater risk. The accounts stolen from 144 countries can be used for a number of purposes. From something harmless as boosting popularity of a page to spreading political propaganda - lEMLabs

Contact Member
Click to call
View Listing