New FlyTrap Android malware: what it is and how to avoid

Intrusion Team
Aug 31, 2021

Android Malware is no different from the malware found on other devices. They are malicious codes written to target androids using spyware, adware, trojans, ransomware, viruses, etc. Malware has been a constant threat to any infrastructure. Not a single day goes by without hearing that somewhere, someone was affected by malware. Where do you think this malware enters your devices? Android users are prone to side-loading an application from unknown sources when unavailable in the Play Store. This compels the user to waive specific security permissions to install the malicious application.

A new Android Trojan (FlyTrap) was discovered recently and has been seen in almost 144 countries while compromising more than 10,000 Facebook accounts. Due to the distribution of fraudulent applications through the Google Play Store and other third-party application vendors, the attackers have successfully spread the Flytrap trojan since March 2021. Forensics investigations have revealed that threat actors in Vietnam are operating the trojan.

FlyTrap’s attack pattern

The threat group’s specialty is to use social engineering like free coupon codes for Netflix, Google AdWords coupon codes, and the sharing of online surveys where users vote for things like their favorite soccer teams or players to mask malicious applications. These highly graphic, fake coupons tempt users into logging into their Facebook account. When the users fall for this trick, the attackers can access the victim’s user account, email address, IP address, location, and cookies or tokens associated with that account.

Once the attacker gains control over the victim’s Facebook account, it operates as a legitimate user. It continues to spread this malicious campaign by sending more phishing links to the user’s friends via Facebook Messenger or posts. These compromised accounts can be used as a botnet for the malicious purpose of boosting the popularity of pages/sites/products used to spread misinformation.

The trojan works by injecting JavaScript into legitimate domains and hijacking the user’s sessions. The maliciously inserted JavaScript code enables the extraction of the victim’s information like account details, location, and IP address when opening genuine websites using Android’s WebView. It then forwards the stolen information to the FlyTrap C2 server that stores the login credentials. The C2 server has a misconfiguration that could expose the database of stolen cookies to any other malicious actors that want to try them.

Security concerns aren’t limited to Android users

This kind of trojan can spread quickly from one Facebook user to another. It also concerns the researchers that the attackers could exfiltrate more critical information like banking credentials when gaining access. This attack is an example that even when there are no specific security threats or vulnerabilities in the network or the system, a simple man-in-middle hijacking attack can easily make anyone a victim. It is disturbing that this trojan could be offered as a service to make money or could also eventually function as ransomware.

These advertisements are not simply leading one to a fake login page used for phishing, but they are so advanced that it also works on an actual Facebook login page. It is possible with the use of JavaScript injection to extract the user’s account information. The point of concern is that it is not only Facebook’s login page that threat actors can use for these attacks but also any social networking website’s login page. It begs the question: Could adversaries soon use this campaign to steal corporate login credentials by targeting victims using their Android device to connect to corporate collaboration platforms like Google Workspace or Microsoft 365?

In most cases, a victim and their Android device will be vulnerable, but only at the individual level. However, when the individual uses their personal Android device in their employee role and becomes affected, it could lead to a massive loss of the company’s confidential and essential data. It could also be tricky when a user’s malware-infested Android finds its way into the organization’s wireless access points when registered under a BYOD program. The attacker may take advantage of this by making it a point-of-entry into organizations and evolving into a more powerful attack.

How to protect yourself as well as your organization

It is crucial to understand that clicking on an unknown link can make your life upside down, as these offers are usually too good to be true. The impulsive actions of humans create this vulnerability and eventually leave a large chunk of data for the malicious actors to misuse. Two things to help stay safe:

  1. Only log in to social networking websites from the original application.
  2. Only download applications from the Play Store that appear to be legitimate.

As a reminder, these attacks rely on a path between the victim’s device and a malicious C2 server. Even in a BYOD (bring your own device) situation, you can prevent this communication path by using a solution that monitors all connections to your network, inbound and outbound.

Resources that might interest you.

Get the insights cybercriminals don’t want you to know.