There’s a new Trojan-spreading operation going on out there, and it has already infected thousands of Android devices across 144 countries. The victims were tricked into downloading the malware themselves through social media posts that link to third-party app stores or shady websites that deliver the APKs.
The trojan is named ‘FlyTrap,’ and according to researchers of Zimperium’s zLabs who discovered and analyzed it, it is a novel piece of software. The campaign has been going on since March 2021, and it’s still underway.
The lures include free Netflix coupon apps, football player voting apps, Google AdWords voucher apps, etc. Zimperium gives a list of these apps on its blog post, but the actors may very easily replace the entries with different ones, so it’s good to keep that in mind.
In all cases, the user is made to believe they’re one step away from getting a free coupon - until they are eventually served a Facebook account login page that is supposedly used to verify their identity. The actors even provide the promised coupon code, even though it’s totally bogus.
By digging deeper, Zimperium researchers found out that the C2 server used by the actors isn’t properly secured, so anyone can access the exfiltrated data stored in the database, which makes the case even worse for the victims. Operational mistakes of this type aren’t rare in the cybercrime world, as hackers don’t care much about protecting the stolen data from outsiders.
NTT’s vice president, Setu Kulkarni, tells us:
This is a nifty combination of a handful of “vulnerabilities”: the human vulnerability to click before you think, a software vulnerability to allow JS injection, the abundance of meta-data open to access like location and finally the implicit trust that can be gained by clever yet dubious association with the likes of Google, Netflix etc. The most concerning bit is the network effect this type of trojan can generate by spreading from one user to many. This trojan could be evolved to exfiltrate significantly more critical information like banking credentials. The what-if scenarios don’t end there unfortunately. What-if this type of trojan is now offered as-a-service or what-if this transforms quickly into ransomware targeting 100s of thousands of users.
The takeaway here is that you can’t (and shouldn’t) trust anyone blindly, not even your friends on Facebook, as someone else could be hiding behind a direct message from their accounts. If you are urged to download an APK from outside the Play Store, it is most probably malware, and you should not give in to curiosity. If you insist on downloading and installing such an app, make sure that you review the requested permissions carefully before you grant approval and use an up-to-date mobile security solution that could help you catch threats before it’s too late.