Researchers discover ‘Schoolyard Bully’ Android malware that steals Facebook logins of 300,000 users
Security researchers at mobile security company Zimperium discovered an Android malware variant on the Google Play Store and third-party app stores targeting victims’ Facebook logins. Malware called ‘Schoolyard Bully’ has spread to over 300,000 victims in more than 71 countries.
“Malicious code was hidden within these apps, but in reality they were able to steal Facebook credentials to upload to threat actors’ Firebase C&C,” the researchers wrote in a blog post.
Android malware uses native libraries to hide from antivirus
According to researchers from Zimperium zLabs, the Android malware uses native libraries to avoid antivirus software solutions that use machine learning virus detection. In addition, the malicious apps use similar tactics as the native libabc.so library to store the stolen Facebook logins and encode strings to prevent detection. They also deliver educational materials in password-protected ZIP files with the password and stolen user details stored in the libabc.so library.
Android malware targets Facebook logins (email/phone number and password), user ID and profile name from compromised Facebook accounts, and device-related information such as device name, RAM, and API.
Although the Schoolyard Bully malware primarily targets Android users in Vietnam, Zimperium researchers discovered the Android threat campaign in 71 countries. Zimperium also identified at least 37 apps that have since been removed from the Google Play Store but are still found in third-party stores.
According to the threat intelligence firm, the Android malware campaign has been active since 2008.
“Although Google has improved its defenses against malware scanning in the Google Play Store, malicious apps like this still slip into the store and achieve thousands or even millions of downloads before their malicious payloads are detected,” said Chris Hauk, consumer privacy advocate at Pixel Privacy. “While apps like this can still cause problems in the Store, it’s still safer than loading apps onto your Android device from external sources.”
Hauk advised Android users to periodically run antivirus and anti-malware software to detect malicious apps: “I personally use Malwarebytes, but there are several quality security packages available for Android devices,” he said. “Malware scanning can help Android users detect previously unknown malicious apps that may be installed on their devices.”
Threat actors compromise financial accounts using stolen Facebook logins
The researchers warned that threat actors could misuse the stolen Facebook account credentials to gain access to victims’ financial accounts. The impact of stolen Facebook logins is significant as users can log into other online services using their social media accounts, while 64% of users reuse passwords leaked in previous breaches.
However, the researchers did not identify the threat actor behind the Android malware campaign, but discovered a similar campaign called FlyTrap carried out by Vietnamese threat actors.
“However, our researchers have determined that the threat actors in the two campaigns are distinct and operating independently based on the differences found in the code samples,” they suggested.
Zimperium zLabs published the Indicators of Compromise (IoC) list to help users and researchers detect and isolate the Android malware variant.
According to Paul Bischoff, privacy lawyer at Comparitech, the social media giant could do nothing to protect Android users who installed apps that steal Facebook logins.
“If you install a malicious app to steal information on your device, there is nothing Facebook can do to protect your account from being hacked,” Bischoff said. “Although this was an attack on Facebook users, it does not exploit a Facebook vulnerability.”
Bischoff advised users to enable multi-factor authentication to prevent hackers from taking over their accounts should their Facebook logins be compromised. Bischoff also advised Android users to avoid third-party app stores and only download apps from the Google Play Store.
“Google Play checks all the apps uploaded to it and ensures that you get the authentic, latest version, as opposed to an older vulnerable version or one corrupted with malware. Google Play isn’t perfect – apps on Google Play were infected with Schoolyard Bully – but it’s better than the alternatives and quick to act when alerted to a malicious app.”