How to Keep Yourself from Becoming a Victim of Flytrap Malware

Written by z3nch4n | Published 2021/09/16
Tech Story Tags: mobile-apps | mobile | mobile-app-security | security | cyber-security | cyber-threats | protect-yourself-from-malware | web-monetization

TLDR New Android Trojan malware has already infected over 10,000 victims across more than 140 countries. FlyTrap uses social engineering tactics to compromise victim's Facebook accounts. Malware can collect personal information such as location information, email addresses, IP addresses, cookies and tokens associated with their Facebook accounts. The hackers can later disguise themselves as the victims to send more phishing links to the user's contacts via direct messages and posts or send them links covering others. They can also send them the updated, more dangerous malware after gaining the trust.via the TL;DR App

Flytrap Is Spreading Fast and Has Compromised 10,000+ Users Worldwide.

Codenamed "FlyTrap", this new Android Trojan malware has already infected over 10,000 victims across more than 140 countries, according to a recent report from Zimperium, the global leader in mobile security. What makes this malware special is it employs social engineering tactics to compromise victim's Facebook accounts. FlyTrap targets Android users and can collect personal information such as:

  • their Facebook IDs,
  • location information,
  • email addresses,
  • IP addresses, and the cookies and tokens associated with their Facebook accounts.

The hackers can later disguise themselves as the victims to send more phishing links to the user's contacts via direct messages and posts or send them links covering others. They can also send them the updated, more dangerous malware after gaining the trust.

How Does FlyTrap Malware Work?

Zimperium's zLabs mobile threat research teams recently found several previously undetected applications. Following their forensic investigation, the zLabs team determined this earlier undetected malware is part of a class of Trojans that employ social engineering tricks to compromise Facebook accounts.

Fake Applications

The threat actors made use of several themes (such as free Netflix coupon codes, Google AdWords coupon codes, and voting for the best soccer team or player) that were popular among users.

Originally available in Google Play and third-party stores, the application lured users toward downloading and trusting the application with high-quality designs and social engineering. After installation, the malicious application displays pages that engage the user and asks for a response from them.

These are the nine malicious apps:

  • GG Voucher (com.luxcarad.cardid)
  • Vote European Football (com.gardenguides.plantingfree)
  • GG Coupon Ads (com.free_coupon.gg_free_coupon)
  • GG Voucher Ads (com.m_application.app_moi_6)
  • GG Voucher (com.free.voucher)
  • Chatfuel (com.ynsuper.chatfuel)
  • Net Coupon (com.free_coupon.net_coupon)
  • Net Coupon (com.movie.net_coupon)
  • EURO 2021 Official (com.euro2021)

Before the malware apps serving out the "promised goodies", victims are told to log in with their Facebook accounts to pick their vote or collect the coupon code or credits. For sure, there is no actual voting or coupon code for Netflix but just another trick to lure the users to give up their credentials.

"Just like any user manipulation, the high-quality graphics and official-looking login screens are common tactics to have users take action that could reveal sensitive information," - zLabs researchers explained. "

One difference of this trojan is that victims are actually logging in to the real Facebook website. However, while the user is logging into their official account, the FlyTrap Trojan is hijacking the session information using the techniques called "javascript injection".

Then, the trojan uses victimized Facebook accounts to further spread its legs. By disguising as reliable owners, the malicious links and posts would seem legitimate. The malware would automate the process and send social posts and personal messages with links to the FlyTrap trojan.

With one light touch, the trojan would propagate disinformation using the victim's device location information. Adding localized information to the social engineering attacks makes the spreading of this trojan highly effective from one victim to another.

How to Protect Your Mobile Device

In the worst cases, it can be painful or nearly impossible to, like any other personal data, get your data back - let alone the accounts that were broken into. That s why the best way to limit the loss is to ensure it never happens in the first place.

Review SMS-Based 2FA of All Accounts

You can use several other methods as your second "factor" that is more protected than text message-based verification. As mentioned, providing your phone number to a 3rd-party introduce the risk of data leak and further hijack other accounts. With a little investment, you can de-couple your cell phone number as a second factor.

Security Keys

Using a physical token (or security key) only for this purpose could help, such as the ones from Yubico called Yubikeys and Titan from Google. Most security key providers offer different form factors like USB-A, USB-C, lightning, or Bluetooth. No matter which one you choose, it's probably a physical thumb drive-shaped accessory that can fit on your keychain.

When authentication is required, you need to plug the key into a USB port on your device, or, if it has an NFC wireless chip in it, hold the key up to your NFC-enabled phone. You can use security keys as secure logins on platforms like:

The main problem with keys is service compatibility. Another problem would be losing or misplacing a security key. For example, if keys are lost or stolen for people who put them on their keys, account lockouts are likely. Therefore, when you set up your key, you should set up a second backup key if anything bad happens to the first.

3rd-party Authenticator Apps

You may already know how to use two-factor authentication to log into accounts. But may limit to using services that give a phone number or email address to receive a security code that requires active connections or phone services. This is a 2-factor authentication because:

  • The phone with the app installed - Something you have.
  • The time code in the app - Something you know. It also proves you have the device at the time period.

Authenticator apps generate a time code to log into an account and provide stronger security without the added privacy concern of giving out a phone number. Moreover, you don't need to be connected to the Internet to receive them, and they aren't vulnerable to being hacked via SIM hijacking.

Some accounts request you use a specific authenticator app, while others let you choose. Popular options include Google Authenticator (Android, iOS) and Microsoft Authenticator, supporting multiple accounts, and Authy, which also supports a range of accounts and offers secure cloud backups.

Cyber Hygiene

Although iPhone is less suspectable to hacking, configuration checks, jailbreak status, and dangerous network access are also useful for users to reduce attack vectors and mitigate risk.

  • Bitdefender and McAfee are free and could offer various security checking including malicious apps flagging, Network access monitoring, and root status - for Android.
  • Lookout provides malicious apps flagging, checking for potentially dangerous Wi-Fi networks, and if the iPhone has been jailbroken - for iOS.

You Can't Protect What You Can't See.

We have a process manager on laptops and desktops for monitoring. We can also increase our visibility on mobile devices' activity and background processes with some useful tools.

  • Lockdown Privacy - for iOS only.
  • Glasswire - the easiest one I tried is Glasswire, which supports Android and Windows.

These tools are great for enhancing visibility and check if there is any new internet access from an app or background process. You can also quickly check if there is an app that consumes data that is out of scale.

Another area that is worth reviewing is DNS. You can use this tool to check if there is any DNS request in a random format - some random domain name that is accessing by your device. This could be an indicator that the app is compromised and trying to send out information. Once you find out which one is contributing to the connection attempts, delete the app immediately.

Key Takeaways

Threat actors are leveraging common user misunderstandings that logging into the true domain is always secure. The targeted domains are popular social media platforms like Facebook and Google that people used to sign-up for websites.

This malware campaign has been particularly powerful in harvesting social media users profiles from 140+ countries. These stolen accounts can be used as a botnet (or zombies) for various purposes: from expanding the popularity of pages/sites/products to spreading misinformation or political propaganda.

Similar to any user manipulation, legitimate-looking login screens and high-quality graphics are typical tactics to have users give up sensitive information. In this case, while the user is logging into their official Facebook account, the FlyTrap Trojan is hijacking the information on the fly for wicked intent.

FlyTrap is merely an example of the continuing, current threats against mobile devices intended to steal social media credentials. Mobile devices are often treasure troves of defenseless username/passwords to social media accounts, banking applications, and more.

More importantly, the tools and techniques used by FlyTrap are not new but are effective enough because there is no advanced mobile endpoint security on these devices or in most devices. It would not take much for a malicious party to take FlyTrap or any other Trojan and modify it to target even more critical information.

Thank you for reading. May InfoSec be with you🖖.

This article was first published at: https://medium.com/technology-hits/how-to-keep-yourself-safe-from-the-flytrap-trojan-91c695fd390c

Some definitions and explanations have been reworded from the following article: https://blog.zimperium.com/flytrap-android-malware-compromises-thousands-of-facebook-accounts/

Written by z3nch4n | Interested in Infosec & Biohacking. Security Architect by profession. Love reading and running.
Published by HackerNoon on 2021/09/16
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy