FlyTrap is a trojan that affects Android users. It is used by cybercriminals to hijack people’s Facebook accounts. It’s has been around since March 2021. According to Zimperium, the company that described FlyTrap, at least 10 thousand Android users across 144 countries were affected by this stealer.
Trojans were disguised as giveaway apps
The FlyTrap trojan spread in malicious apps, both in and outside the Play Store. For now, Google has removed all the apps that were found to be infected with this stealer.
A trojan is a malicious program that is disguised as a legitimate, trusted app. The FlyTrap apps were made to look fun, useful, professional. To get users to engage, they let them vote for sports teams and fill out surveys: the topics of the apps were Chatfuel, GG voucher and coupon ads, EURO 2021 official and UEFA voting. Some of the apps promised to give out free Netflix and Google Ads coupons.
Once installed, these apps stole Facebook credentials, location, email address, IP, and cookies. In addition, they stole tokens that could be used to log in to people’s Facebook accounts without their passwords.
And once the cybercriminals who are behind the FlyTrap campaign got access to Facebook accounts, they could start spreading FlyTrap in messages to the account’s friends. In addition, the hacked accounts could be used to distribute other malware and promote various pages and products. If the Facebook account had an ad page and a payment method, it could even be made to run ad campaigns.
The people behind FlyTrap likely made a lot of money from this. We’ve seen something similar before in SilentFade and CopperStealer – spyware infections that stolen social media accounts and used them to commit advertising fraud.
FlyTrap showed real Facebook logins
The FlyTrap apps asked users to sign into Facebook. Supposedly, that was necessary to give the free coupons. The coupons weren’t real, of course. But the interesting bit is how FlyTrap stole people’s Facebook credentials.
According to Zimperium, FlyTrap didn’t create fake Facebook login pages to steal people’s passwords. Rather, the trojan opened the real Facebook login sites, then extracted emails and passwords from them.
Here are the screenshots of the trojan apps in action, shown by Zimperium:
This is a superior method of phishing (stealing info by impersonating a trusted company, website, or person): the user actually does log in to their real Facebook account, so there’s no reason for them to be suspicious.
Here’s the thing: a lot of phishing sites work by showing fake login pages – they are easy enough to create – but they usually don’t bother to log the user into their real account. This makes it easy for the victim to notice that something is wrong and change their password before it can be abused.
FlyTrap showed that even when you’re aware of phishing, even when you’re careful to only sign in to the official site, there’s still a way for malware to steal your information. It reminds me of the news that some phishing scams are so good that they can defeat 2FA. If a hacker is very dedicated, they could craft a nearly perfect scam.
How can you keep yourself safe?
How can you protect yourself from this sort of malware?
Zimperium shared the files that were infected by FlyTrap, such as this one: Virustotal.com. At the time of writing (a day after FlyTrap was described), antivirus scanners label the malicious apps with these names:
- Android.PWS.Facebook (info stealer)
- Artemis (a generic name for a threat)
- Potentially Unsafe
- Utilcode
- DataCollector
- AdLibrary:Generisk (info stealer)
- APK:RepSandbox [Trj]
Not many antivirus scanners flagged the infected apps, but the number is rising. FlyTrap is still new, so it takes a bit of time for security scanners to update their definitions. But the point is that, when a trojan is still new and unknown, your antivirus app (if you have one) might fail to detect it. The Play Store scans the uploaded apps, but it makes mistakes.
Note that downloading apps from outside the Play Store is even riskier – though most Android malware comes from the Play Store, the fraction of malicious apps is smaller there compared to other app stores.
The FlyTrap trojan apps lured in users by promising free stuff. That part is the most suspicious to me. It’s how a lot of scams work: promises of “free” phones, cryptocurrency giveaways, various other prizes are used to push people to reveal their personal info (including credit card details) to scammers. Think twice before plunging into a giveaway. Verify that it’s being organized by a reputable company, or else assume that it’s fake. This will help you avoid a lot of scams.