December 2, 2022

Zimperium, a mobile security firm, is warning of an Android trojan masquerading as reading and education apps that may have stolen Facebook credentials from at least 300,000 users across 71 countries, primarily in Vietnam, since 2018.

Zimperium has named the malware Schoolyard Bully Trojan, and it has been delivered via innocent-looking Android applications hosted on Google Play and various third-party app stores. Despite the fact that Google has removed the malware from its official app store, the malicious applications can still be found on other websites.

It also uses JavaScript injections to display phishing pages designed to trick users into providing their Facebook username and password, which is its primary goal.

The trojan steals these details by using WebView to open a legitimate Facebook login page inside the app and injecting malicious JavaScript to extract the user inputs. The Schoolyard Bully trojan primarily targets Vietnamese language applications, but it has been discovered in 71 countries so far, demonstrating the campaign’s global reach. However, because applications are still being found in third-party app stores, the actual number of countries where Schoolyard Bully is active could be even higher and continue to grow.

The malware hides from the majority of antivirus and machine learning virus detections by using native libraries, and it stores command and control data in a native library called libabc.so. The data is further encoded in order to conceal all of the strings from detection mechanisms.

The sources for this piece include an article in BleepingComputer.