FlyTrap: the Android malware that hijacks Facebook accounts

by | August 11, 2021 | Cybersecurity News

FlyTrap, a new Android trojan, has been discovered by researchers. The malware spreads to more than 10.000 victims, using hacked apps on third-party app stores, sideloaded apps, and hacked Facebook accounts.

FlyTrap has expanded to at least 144 countries since March, according to a report from Zimperium’s zLabs mobile threat research teams, via malicious apps downloaded through the Google Play store and third-party app marketplaces.

According to the researchers, the malware is part of a trojans family that uses social engineering to take over Facebook accounts. It was tracked back to operators in Vietnam. Initially, the session hijacking campaign was spread through Google Play and third-party app stores. Google Play, for its part, withdrew the malicious apps once Zimperium zLabs alerted it.

They are, however, still available on unsecured third-party app stores, “highlighting the risk of sideloaded applications to mobile endpoints and user data,” Zimperium explained.

The following list illustrates the bad apps:

  • GG Voucher (com.luxcarad.cardid)
  • GG Coupon Ads (com.free_coupon.gg_free_coupon)
  • GG Voucher Ads (com.m_application.app_moi_6)
  • GG Voucher (
  • Vote European Football (com.gardenguides.plantingfree)
  • Chatfuel (com.ynsuper.chatfuel)
  • Net Coupon (
  • Net Coupon (com.free_coupon.net_coupon)
  • EURO 2021 Official (com.euro2021)

How Do You Become Trapped in a FlyTrap?

Come-ons used by the threat actors include free Netflix coupons, Google AdWords coupons, and voting for the best football/soccer team or player. They’re not just appealing; they’re also polished, with high-quality visuals, which helps to conceal what they’re up to behind the scenes.

ZLabs researchers explained:

“Just like any user manipulation, the high-quality graphics and official-looking login screens are common tactics to have users take action that could reveal sensitive information. In this case, while the user is logging into their official account, the FlyTrap Trojan is hijacking the session information for malicious intent.”

The malicious apps claim to give Netflix and Google AdWords coupon codes and allow users to vote for their favorite teams and players in the UEFA EURO 2020 soccer tournament, which ended on July 11th (delayed a year by COVID-19). However, before the malware apps can provide the promised benefits, users must first check-in with their Facebook accounts to vote or receive the coupon code or credits.

Of course, there are no free Netflix or AdWords discounts or codes available, and there is no way to vote for your favorite football team. Rather, the malicious programs are only interested in obtaining Facebook login information. As illustrated in the screenshots below, they make a last-ditch attempt to appear real by displaying a statement saying that the coupon or code expired “after redemption and before spending.”

When confused Android user hands over their Facebook credentials, the apps start to work slurping up information such as:

  • Facebook ID
  • Email address
  • Location
  • IP address
  • Cookies and tokens associated with the Facebook account

The trojan then spreads its tentacles through vulnerable accounts, making it appear as if the rightful owners are sharing legitimate posts, according to zLabs experts:

“These hijacked Facebook sessions can be used to spread the malware by abusing the victim’s social credibility through personal messaging with links to the Trojan, as well as propagating propaganda or disinformation campaigns using the victim’s geolocation details. These social-engineering techniques are highly effective in the digitally connected world and are used often by cybercriminals to spread malware from one victim to another.”

SilentFade was a malware campaign attributed to Chinese attackers that targeted Facebook’s ad platform for years, stealing $4 million from users’ advertising accounts and using the stolen accounts to promote malicious ads, steal browser cookies, and more. More recently, a similar malware called CopperStealer, which steals passwords and cookies, was discovered to have compromised Amazon, Apple, Google, and Facebook accounts since 2019, then exploited them for further cybercriminal activity.

How Does FlyTrap Work?

By logging into the original and legitimate domain, FlyTrap uses JavaScript injection to hijack sessions. Its malicious programs access a legitimate domain in a WebView and then inject malicious JavaScript code that allows for the extraction of targeted data, such as cookies, user account details, location, and IP address.

FlyTrap’s command-and-control (C2) server used the stolen login credentials to authorize access to the gathered data. But it gets worse: zLabs discovered a flaw in the C2 server that could be exploited to expose the full database of stolen session cookies “to anyone on the internet,” putting victims in much more danger, according to the researchers.

The map below, produced by zLabs, illustrates the 144 countries where FlyTrap has trapped thousands of victims.

The researchers pointed out that credential stealing from mobile devices is nothing new: after all, mobile endpoints “are often treasure troves of unprotected login information to social media accounts, banking applications, enterprise tools, and more.”

FlyTrap’s tools and approaches are so powerful, they claimed, that it’s not surprising if a malicious actor takes it up and retrofits it or “any other trojan” to go for even more sensitive data.

How to keep your Android safe?

On Monday, Zimperum’s head of product marketing for endpoint security, Richard Melick, stated that Android users could reduce their risk of infection right away by ensuring that they don’t allow any software from an untrusted source to be loaded.

While most Android smartphones have the setting turned off by default, social-engineering tactics are “highly effective at tricking users into allowing it,” he said.

To disable unknown sources on Android, go to settings, security, and ensure the “unknown sources” option is turned off.

According to Melick, users should also establish multi-factor authentication (MFA) for all social media accounts and any other accounts that have access to sensitive or private data.

“While this will not stop this kind of hack, it adds additional security layers such as geo-based alerts” to the user’s profile, he pointed out; i.e., “This account is trying to log in from Vietnam.”

If an Android user feels that a Facebook account has been compromised, Melick advises that they log out of all accounts on all devices, change their passwords immediately, and enable MFA if it is not already enabled.

In general, be wary of grabby apps, Melick advised:

“Overall, it is about being aware of what an application is asking for; if you need to connect your social media accounts to access the coupon or deal, pause and ask why. What could that site/coupon company now use that data for? What will they be able to do with your account? Do they really need that to give you a deal? Once the connection is established, your data can be easily taken and used without your consent.”


Feature image: Photo by Phạm Mạnh on Unsplash

by Andreea Popa

Content writer for Attack Simulator, delivering your daily dose of awareness for cyber security! Love to write passionately about any subject and my mainly inspiration are people's stories. You can also find me on social media, for some more friendly things!

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.