New Android malware hijacks thousands of Facebook accounts


A new Android Trojan was found to have hacked Facebook accounts of more than 10,000 users in at least 144 countries since March 2021 through fraudulent apps distributed through Google Play Store and other third-party app marketplaces.

The malware that has been dubbed “FlyTrap,” is believed to be part of a family of Trojans that conduct social engineering tricks to breach Facebook accounts as part of a session hijacking campaign organized by threat actors operating out of Vietnam.

According to the malware researcher, Aazim Yaswant at Zimperium’s zLabs, the offending nine applications have been removed from Google Play, but they continue to be available in third-party app stores.

The list of apps includes the following:

  • GG Voucher (com.luxcarad.cardid)
  • Vote European Football (com.gardenguides.plantingfree)
  • GG Coupon Ads (com.free_coupon.gg_free_coupon)
  • GG Voucher Ads (com.m_application.app_moi_6)
  • GG Voucher (
  • Chatfuel (com.ynsuper.chatfuel)
  • Net Coupon (com.free_coupon.net_coupon)
  • Net Coupon (
  • EURO 2021 Official (com.euro2021)

The malicious apps claim to offer Netflix and Google AdWords coupon codes and allows users to vote for their favorite teams and players at UEFA EURO 2020, which took place between 11 June and 11 July 2021, only under the condition that they must log in with their Facebook accounts to cast their vote, or collect the coupon code or credits.

As soon as a user signs into the account, the malware is equipped to steal the victim’s Facebook ID, location, email address, IP address, and the cookies and tokens associated with the Facebook account, thus enabling the threat actor to carry out disinformation campaigns using the victim’s geolocation details or propagate the malware further via social engineering techniques by sending personal messages containing links to the Trojan.

This is done using a technique called JavaScript injection, in which the application opens the legit URL inside a WebView configured with the ability to inject JavaScript code and extracts all the necessary information such as cookies, user account details, location, and IP address by injecting malicious code.

While the exfiltrated data is hosted on a command-and-control (C2) infrastructure, security flaws found in the C2 server could be exploited to expose the entire database of stolen session cookies to anyone on the internet, thereby putting the victims at further risk.

The researcher stated that the threat actors are leveraging common user misconceptions that logging into the right domain is always secure irrespective of the application used to log in.

The targeted domains are popular social media platforms and this campaign was effective in harvesting social media session data of users from almost 144 countries. These accounts can be used as a botnet for different purposes which includes boosting the popularity of pages/sites/products to spreading misinformation or political propaganda.

Image Credits : The Indian Express

Priyanka R
Cyber Security Enthusiast, Security Blogger, Technical Editor, Author at Cyber Safe News

    Amazon Kindle bug could have let hackers hijack your device

    Previous article

    One million stolen credit cards leaked on dark web

    Next article

    You may also like

    More in Malware


    Leave a reply

    Your email address will not be published. Required fields are marked *