Woman's hand touching screen on tablet with Facebook showing Android malware stealing Facebook logins

Researchers Discover ‘Schoolyard Bully’ Android Malware Stealing Facebook Logins of 300,000 Users

Security researchers at mobile security company Zimperium discovered an Android malware variant on Google Play Store and third-party app stores targeting the victims’ Facebook logins. The Malware dubbed ‘Schoolyard Bully’ has spread to over 300,000 victims in more than 71 countries.

The “Schoolyard Bully Trojan” apps disguise themselves as legitimate educational apps offering free books on various topics. However, they include an authentication option that opens a legitimate Facebook login page in a Webview injected with malicious JavaScript code. The code extracts the user’s phone number, email address, and password and posts the data to the threat actors’ command and control (C2) server configured with Firebase.

“Malicious code was hidden within these apps, but in reality, they were capable of stealing Facebook credentials to upload to threat actors’ Firebase C&C,” the researchers wrote in a blog post.

Android malware uses native libraries to hide from antivirus

According to Zimperium zLabs researchers, the Android malware uses native libraries to evade antivirus software solutions that use machine learning virus detections. Additionally, the malicious apps use similar tactics as the libabc.so native library to store the stolen Facebook logins and encode strings to prevent detection. They also deliver educational materials in password-protected ZIP files with the password and stolen user details stored in the libabc.so library.

The Android malware targets Facebook logins (email/phone number and password), user ID and profile names from compromised Facebook accounts, and device-related information such as device name, RAM, and API.

Although the Schoolyard Bully malware primarily targets Android users in Vietnam, Zimperium researchers detected the Android threat campaign in 71 countries. Zimperium also identified at least 37 apps that have since been removed from the Google Play Store but are still present on third-party stores.

According to the threat intelligence firm, the Android malware campaign has been active since 2008.

“While Google has improved its malware scanning defenses in the Google Play store, malicious apps like this still slip into the store, scoring thousands or even millions of downloads before their malicious payloads are discovered,” said Chris Hauk, consumer privacy champion at Pixel Privacy. “Even though apps like this can still cause issues in the store, it is still safer than sideloading apps onto your Android device from outside sources.”

Hauk advised Android users to periodically run antivirus and anti-malware software to detect malicious apps: “I personally use Malwarebytes, but there are several quality security suites available for Android devices,” he said. “Scanning for malware can help Android users discover previously unknown malicious apps that may be installed on their devices.”

Threat actors compromise financial accounts using stolen Facebook logins

The researchers warned that threat actors could abuse the stolen Facebook account credentials to access victims’  financial accounts. The impact of stolen Facebook logins is significant since users can log into other online services using their social media accounts, while 64% of users reuse passwords leaked in previous breaches.

However, the researchers did not identify the threat actor behind the Android malware campaign but discovered a similar campaign dubbed FlyTrap executed by Vietnamese threat actors.

“However, our researchers have determined that the threat actors of the two campaigns are different and operate independently based on the differences found in the code samples,” they suggested.

Zimperium zLabs published the list of indicators of compromise (IoC) to assist users and researchers in detecting and isolating the Android malware variant.

According to Paul Bischoff, privacy advocate at Comparitech, the social media giant could do nothing to protect Android users who installed apps that steal Facebook logins.

“If you install a malicious info-stealing app on your device, there’s nothing Facebook can do to protect your account from being hacked,” Bischoff said. “Although this was an attack on Facebook users, it does not exploit a Facebook vulnerability.”

Bischoff advised users to enable multi-factor authentication to prevent hackers from taking over their accounts should their Facebook logins be compromised. Bischoff also advised Android users to avoid third-party app stores and only download apps from Google Play Store.

“Google Play vets all the apps uploaded to it and ensures you’re getting the authentic, latest version, as opposed to an older vulnerable version or a version corrupted with malware. Google Play isn’t perfect—apps on Google Play were infected with Schoolyard Bully—but it’s better than the alternatives and swift to act when notified of a malicious app.”