HQ/EMEAFind out how we can help your business
A threat group uses reading and educational apps for students to hide their Android malware through impersonation. This campaign aims to steal Facebook account credentials from targeted devices.
A recent report revealed that malware operators have already infected more than 300,000 devices across over 70 countries worldwide. Unfortunately for the Vietnamese, Vietnam is the most prioritised country for this attack.
One of the identified applications used for malware distribution is Schoolyard Bully. This app was previously available on Play Store, but admins took it down after a researcher reported it to Google.
However, researchers claimed that the apps are still distributed through third-party sources that offer Android apps and APKs.
The Android malware impersonates educational apps, intending to steal sensitive user data.
One of the Android malware payloads called “Schoolyard Bully” gets its name after introducing itself as a harmless educational application. Unfortunately, the main objective of the malware is to harvest Facebook account credentials, username, account ID, device name, device API, and device RAM.
The malware steals these troves of data by accessing a legitimate Facebook login page inside the app through WebView and injecting compromised JavaScript to retrieve the user inputs.
The researcher further explained that JavaScript is injected into the WebView through the evaluate javascript method. Subsequently, the JS code extracts the value of elements with ‘ids m_login_email’ and ‘m_login_password. These are placeholders for the infected device’s email address, password, and phone number.
In addition, the malware utilises native libraries to obfuscate its compromised code from analysis tools and security defences.
The concern of this attack is that the researcher’s telemetry data revealed that the malware has already infected 300,000 victims in over 70 countries globally.
The number of victims may have also been higher since there is no accurate way to measure the victim counts for social media platforms. Furthermore, over 30 apps affiliated with this campaign spread through third-party apps. The researchers also believe that more applications carry the same malware.
As of now, the operators of this campaign are still unknown, and their apps are still available on third-party sources. Therefore, users should only download applications from trusted sources, especially if unnecessary.
