Zimperium reveals new Android threat ‘the Schoolyard Bully’

/in


Zimperium, the mobile security platform purpose-built for enterprise environments, has revealed details of a newly discovered Android threat campaign that has been stealing Facebook credentials from unsuspecting users since 2018.

The Zimperium zLabs threat research team recently discovered and named the Schoolyard Bully Android trojan, which it found in numerous educational applications that have been downloaded from the Google Play Store and third-party app stores by more than 300,000 victims to date, according to a statement from the company.

Applications hiding the Schoolyard Bully trojan and its malicious code have been removed from the Google Play Store, but are still available on third-party app stores.

These applications are often disguised as legitimate, educational applications with a wide range of books and topics for students to consume, but are capable of stealing details including a users name, email, phone number and password.

Richard Melick, Director of Mobile Threat Intelligence at Zimperium, says, “Attackers can cause a lot of havoc by stealing Facebook passwords. If they can impersonate someone from their legitimate Facebook account, it becomes extremely easy to phish friends and other contacts into sending money or sensitive information. It’s also very concerning how many people reuse the same passwords.

“If an attacker steals someone’s Facebook password, there’s a high probability that the same email and password will work with banking or financial apps, corporate accounts and so much more.”

The Schoolyard Bully trojan primarily targets Vietnamese language applications, but has been discovered in 71 countries so far, illustrating the broader-reaching geographic impact of this campaign. However, the actual number of countries where Schoolyard Bully is active could be even higher and could continue to grow because applications are still being found in third-party app stores.

The malware uses native libraries to hide from the majority of antivirus and machine learning virus detections, and uses the same technique with a native library named libabc.so to store the command and control data. The data is further encoded, to hide all the strings from any…

Source…