Malware on Google Play

The Schoolyard Bully Trojan, a new Android threat campaign that has been active since 2018, has been found by Zimperium zLabs. Over 300,000 people have fallen victim to the campaign, which specifically targets Facebook login information

A recent analysis by Zimperium claims that the operation, which mainly targeted Vietnam, infected victims across 71 different countries.

The Victims’ Map

The Working of Schoolyard Bully Trojans

Researchers say numerous apps that were downloaded from the Google Play Store and other app stores contain the Schoolyard Bully Trojans.

“Disguised as the good guy, these malicious apps known as the “Schoolyard Bully Trojan” are camouflaged as legitimate, educational applications with a wide range of books and topics for their victims to read”, Zimperium zLabs

Malicious code was hidden within the educational apps, they were able to steal Facebook login information and upload it to threat actors’ Firebase C&C servers.

Although these apps are no longer accessible through the Google Play Store, they are still accessible through third-party app stores.

Notably, researchers say it’s not surprising that the Schoolyard Bully Trojan has been active for years given the number of users that recycle passwords.

Details Stolen From a Victim’s Facebook Account by the Schoolyard Bully Trojan:

  • Email / Phone Number
  • Password
  • ID
  • Name

The malware’s primary objective is to steal Facebook account information, including login information (email and password), account ID, username, device name, RAM, and API.

Malicious app home page
 Malicious Apps and Facebook Login Prompt

Researchers explain that to steal the Facebook login information, this trojan uses Javascript injection. To retrieve the user’s phone number, email address, and password, the Trojan opens the legitimate URL inside a WebView with the malicious javascript injected, and then sends it to the configured Firebase C&C.

Javascript Injected

Further, the malware uses native libraries to hide from the majority of antivirus and machine-learning virus detections.

Therefore, it is recommended to perform a fast risk analysis to make sure your devices are safeguarded from trojan malware.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.