Zimperium Uncovers Facebook Credential Stealer Targeting Android Devices
December 2022 by Zimperium
Zimperium revealed details of a newly discovered Android threat campaign that has been stealing Facebook credentials from unsuspecting users since 2018. The Zimperium zLabs threat research team recently discovered and named the Schoolyard Bully Android trojan, which it found in numerous educational applications that have been downloaded from the Google Play Store and third-party app stores by more than 300,000 victims to date.
Applications hiding the Schoolyard Bully trojan and its malicious code have been removed from the Google Play Store, but are still available on third-party app stores. These applications are often disguised as legitimate, educational applications with a wide range of books and topics for students to consume, but are capable of stealing details including a user’s name, email, phone number and password.
“Attackers can cause a lot of havoc by stealing Facebook passwords. If they can impersonate someone from their legitimate Facebook account, it becomes extremely easy to phish friends and other contacts into sending money or sensitive information,” said Richard Melick, Director of Mobile Threat Intelligence at Zimperium. “It’s also very concerning how many people reuse the same passwords. If an attacker steals someone’s Facebook password, there’s a high probability that same email and password will work with banking or financial apps, corporate accounts and so much more.”
The Schoolyard Bully trojan primarily targets Vietnamese language applications, but has been discovered in 71 countries so far, illustrating the broader-reaching geographic impact of this campaign. However, the actual number of countries where Schoolyard Bully is active could be even higher and could continue to grow because applications are still being found in third-party app stores.
The malware uses native libraries to hide from the majority of antivirus and machine learning virus detections, and uses the same technique with a native library named libabc.so to store the command and control data. The data is further encoded, to hide all the strings from any detection mechanisms.
Zimperium zIPS customers are protected against the Schoolyard Bully trojan with the on-device z9 Mobile Threat Defense machine learning engine. Zimperium’s patented on-device detection provides advanced security and protection against device, network, network, app, and web threats, keeping both personal and enterprise data private and secure.