Schoolyard Bully: a Facebook Trojan.

Mobile security firm Zimperium has discovered an Android threat, the Schoolyard Bully Trojan. The Trojan has been active since 2018 and primarily targets Vietnamese readers. The Trojan has the ability to steal credentials from the Facebook accounts of victims, including email, phone number, password, ID, and name.

How it works.

The Trojan disguises itself as a reading or educational app, IT World Canada reports. The malware also uses Javascript injections to show phishing pages designed to look like a Facebook login screen, so that the victim’s credentials can be stolen. “The trojan steals these details by using WebView to open a legitimate Facebook login page inside the app and injecting malicious JavaScript to extract the user inputs,” IT World Canada says.

The bullies look a lot like those involved with FlyTrap.

Zimperium reports similarities between this campaign and one dubbed “FlyTrap,” which involved Vietnamese threat actors creating and spreading applications. While this Trojan targets Vietnamese readers, researchers discovered differences in code samples, leading them to believe that there is not a direct connection between FlyTrap and this Trojan.

Schoolyard Bully's victims.

Vietnamese readers are the primary target of the Trojan, but the malware has been seen victimizing over 300,000 people in 71 different countries. Zimperium, however, acknowledges that infected applications still exist in some third-party app stores.

Expert commentary on the Schoolyard Bully Trojan.

Chris Hauk, consumer privacy champion at Pixel Privacy, recommends the use of antivirus software:

“While Google has improved its malware scanning defenses in the Google Play store, malicious apps like this still slip into the store, scoring thousands or even millions of downloads before their malicious payloads are discovered. Even though apps like this can still cause issues in the store, it is still safer than sideloading apps onto your Android device from outside sources. I strongly suggest that Android users install and periodically run antivirus and anti-malware apps on their devices. I personally use Malwarebytes, but there are several quality security suites available for Android devices. Scanning for malware can help Android users discover previously unknown malicious apps that may be installed on their devices.”

Paul Bischoff, privacy advocate at Comparitech, recommends sticking to the Google Play Store and enabling multifactor authentication on Facebook:

“If you install a malicious info-stealing app on your device, there's nothing Facebook can do to protect your account from being hacked. Although this was an attack on Facebook users, it does not exploit a Facebook vulnerability. Every Facebook user should set up multi-factor authentication on their accounts to prevent attackers from breaking in, even if they have the password. Unfortunately, Facebook does not require MFA, so many people never turn it on, either out of convenience or ignorance. Android users should stick to apps on the Google Play Store and avoid third-party app stores and APK download sites. Google Play vets all the apps uploaded to it and ensures you're getting the authentic, latest version, as opposed to an older vulnerable version or a version corrupted with malware. Google Play isn't perfect---apps on Google Play were infected with Schoolyard Bully---but it's better than the alternatives and swift to act when notified of a malicious app.”