Malware on Google Play Infected over 300,000 Users to Steal Facebook Login Credentials

The Schoolyard Bully Trojan, a new Android threat campaign that has been active since 2018, has been found by Zimperium zLabs. Over 300,000 people have fallen victim to the campaign, which specifically targets Facebook login information.

A recent analysis by Zimperium claims that the operation, which mainly targeted Vietnam, infected victims across 71 different countries.

The Victims’ Map

The Working of Schoolyard Bully Trojans

Researchers say numerous apps that were downloaded from the Google Play Store and other app stores contain the Schoolyard Bully Trojans.

“Disguised as the good guy, these malicious apps known as the “Schoolyard Bully Trojan” are camouflaged as legitimate, educational applications with a wide range of books and topics for their victims to read”, Zimperium zLabs

Malicious code was hidden within the educational apps, they were able to steal Facebook login information and upload it to threat actors’ Firebase C&C servers.

Although these apps are no longer accessible through the Google Play Store, they are still accessible through third-party app stores.

Notably, researchers say it’s not surprising that the Schoolyard Bully Trojan has been active for years given the number of users that recycle passwords.

Details Stolen From a Victim’s Facebook Account by the Schoolyard Bully Trojan:

Email / Phone Number
Password
ID
Name

The malware’s primary objective is to steal Facebook account information, including login information (email and password), account ID, username, device name, RAM, and API.

Malicious Apps and Facebook Login Prompt

Researchers explain that to steal the Facebook login information, this trojan uses Javascript injection. To retrieve the user’s phone number, email address, and password, the Trojan opens the legitimate URL inside a WebView with the malicious javascript injected, and then sends it to the configured Firebase C&C.