Posted on Leave a comment

Beware!! Facebook Accounts Are Hijacked By Android Malware.

Zimperium’s zLabs mobile threat research teams have come across a new android malware named “FlyTrap” which has infected over 10,000 victims and spread across 144 countries atleast from March 2021 for hijacking well known social media accounts.

Researchers additionally noted that threat actors based out of Vietnam are using social engineering technique to hijack over Facebook accounts of the victims. Zimperium research team has proactively reported this issue to Google, therein the software giant has removed the malicious apps from the Google play store, however the researchers identified that the malicious apps are still available in third party sites and repositories.

How does the infection works?

On the first hand, threat actors had been using multiple themes such as free Netflix account codes, Google adwords coupon codes, and football team or player voting app which redirects to Facebook login page at some point of time for casting the vote or for collecting the coupon codes for hijacking the accounts.

On the other hand, the malicious android applications collects following details from victim device and exfiltrates to C&C server.

  • Facebook ID
  • Location
  • Email address
  • IP address
  • Cookie and Tokens associated with the Facebook account

CyberWorkx news readers are recommended to use MFA for all the social media accounts and at some point of time if the user suspects that their facebook account is connected to malicious third party can logout from all the devices by following below steps

To log out of Facebook on another computer, phone or tablet:

  1. Go to your Security and login settings.
  2. Go to the section Where you’re logged in. You may have to click See more to see all of the sessions where you’re logged in.
  3. Find the session you want to end. Click and then click Log Out.

Clicking Log Out will immediately log you out of Facebook on that device.

Indicators of Compromise

FlyTrap Trojan Android applications:
  • com.luxcarad.cardid : GG Voucher
  • com.gardenguides.plantingfree : Vote European Football
  • com.free_coupon.gg_free_coupon : GG Coupon Ads
  • com.m_application.app_moi_6 : GG Voucher Ads
  • com.free.voucher : GG Voucher
  • com.ynsuper.chatfuel : Chatfuel
  • Com.free_coupon.net_coupo    n : Net Coupon
  • com.movie.net_coupon : Net Coupon
  • com.euro2021 : EURO 2021 Official
  • 00833ff71a1709e60cb04acbcc7ceecd56323e693de3c424fb37205204d43105
  • fa08c2ca7d8614be2b0b58095d0f3115464e9139bf5051c4f3da15963bb31062
  • 30a3ad09199660baca6410a4ada290887390d9453d95eb1e84bdd984c89ecc3a
  • 8e6c98b247a2bb34d5004c3f14d2cbf2a22c987f960e86c760d44766f9361c59
  • 21b85beb9992fccb268fcef2904c5e6591a3c80b7fa8dd201e28782887fea2cb
  • d1cf14ccbc8f718111e59f9173475b2882dc6d1ca381ff3b726f2b471711aa7e
  • c4eed338a3449c57eb919eac9a41b5b5ca4d0223fda341005e68f5b673d745ad
  • 3b0137302a6b93cc4dd4d0a58749fc959f8d9ad26d022d6b10dc3d7608af3279
  • 3cd5cee4326d48c0b1f0c40d3b8f3e0d7ef7ef2b782afbe95e07a3d519ba5aee
  • 1a3b448853479bf6b23d283bd44b0458132c3cda1648eac631dfdc178aee5ac0
  • 5d671f5ed5e5855dc5727412b2a9293f42b7b5f31c3b924a30beacd8304863b6
  • 64f4f085050294d064860d0c9e323bbf21cb4f66773944646a9eaf4eab49e115
  • 8e2aa1a1a144f84511aafd76c83a23e33c3c107c914bb67761df32f6b68b6cf5
  • 96b235bc715d6089a163ca212d1e752c26918b3d3b1acec5bdebbdd1b40c4b85
  • f8845f98ca1233b6db2ef44913a115f3093308846ba805aaaf21753d97e4219c

Command and Control Servers:

  • hxxp://47.57.237.26
  • hxxp://165.232.173.244:3023
  • hxxps://manage-ads.com
  • hxxp://quanlysanpham.work

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply