Hacker-Controlled Trojans Disguised as Educational Apps
The “Schoolyard Bully” campaign — a batch of Trojan viruses disguised as educational apps offering content like books and topics for students — has infected over 300,000 victims and was specifically designed to swipe Facebook credentials, Zimperium’s zLabs unit said Thursday. Though the targets of the campaign were largely located in Vietnam, victims were also spread out across 71 different countries. Active since 2018, the trojan campaign is designed to steal and upload credentials to threat actor-controlled servers. Having since been removed from Google’s Play Store — the world’s largest store at over 3.5 million downloadable apps — Schoolyard Bully continues to be available and poses a risk to students through third-party app stores, Zimperium said. “Nearly 64% of individuals use the same password that was exposed in a previous breach,” researchers said. “With the percentage of users recycling passwords, it is no surprise the Schoolyard Bully Trojan has been active for years.” As such, the Trojan is particularly effective at swiping financial accounts.
JavaScript Injection Via Legitimate Facebook Sign-In
The Schoolyard Bully hoovers data like Facebook profile names and IDs, emails and phone numbers, and user passwords. It also takes users’ device names and device hardware and software information. By using “native libraries,” the virus can evade some antivirus threat scans. Researchers say Schoolyard Bully targets both Vietnamese and international victims. When a user enters their Facebook account credentials within the app through a legitimate Facebook WebView page, data is transferred silently and extracted to a threat actor-controlled command and control server through Javascript injection. “The Trojan opens the legitimate URL inside a WebView with the malicious javascript injected to extract the user’s phone number, email address, and password then sends it to the configured Firebase C&C.” Similar to Schoolyard Bully, Zimperium researchers noted that recent virus campaigns like “FlyTrap” were also propagated by Vietnamese threat actors. The perpetrators, though, seem to be different from “FlyTrap,” as the campaigns operate differently and wield different codes.
Be Cautious Around Third-Party App Stores and Apps
Third-party apps can find their way onto any app store, regardless of the reputation and security they may have. They have, however, statistically been more present on Google Play and third-party app stores geared toward Android. This October, Meta security researchers identified over 400 mobile apps targeting Facebook users on Google Play. Apple is known to be more stringent about verifying apps on their app store and about allowing “side-loading,” which can allow hackers to sidestep Apple’s protections. We recommend you use a premium antivirus scanner like Kaspersky Security Cloud Free on your Android device that can flag suspicious apps and websites before they have the chance to get on your device. If you suspect your mobile device may have already been infected, make sure to have a look at our Android malware removal guide.