Thursday, May 15, 2025
HomeAndroidNew Android Malware Stolen Facebook Credentials From 300,000 Victims

New Android Malware Stolen Facebook Credentials From 300,000 Victims

Published on

SIEM as a Service

Follow Us on Google News

The mobile security firm Zimperium has recently issued a warning about a Trojan called “Schoolyard Bully,” which is actively masquerading as an educational application in a malicious threat campaign.

While this trojan “Schoolyard Bully” has been active since 2018, and from the infected devices, it primarily steals Facebook account credentials.

As of right now, the campaign has infected devices in over 71 countries, with the majority of infections coming from Vietnam. More than 300,000 infections have been reported so far.

- Advertisement - Google News

This malware has been removed from the official Google Play store after it was discovered. As there are still third-party app stores offering these applications, this could mean that the actual number of countries is greater than what was accounted for.

Abilities of Schoolyard Bully Trojan

The Schoolyard Bully Trojan is used by threat actors to gain access to sensitive information by using unauthorized credentials. The ability to access financial accounts is much more successful for them.

Nearly 64% of individuals use the same password that was exposed in a previous breach. With the percentage of users recycling passwords, it is no surprise the Schoolyard Bully Trojan has been active for years.

There is a very high probability that about 64% of people are using the same password that has been compromised previously. Due to the high rate of people recycling their old passwords, “Schoolyard Bully Trojans” have remained active for years without being detected. Zimperium researchers said.

When the Schoolyard Bully Trojan is deployed on a user’s Facebook account, it gets the capability to steal the following information from their account:-

  • Name on Facebook Profile
  • Facebook ID
  • Facebook Email/Phone Number
  • Facebook Password
  • Device Name
  • Device API
  • Device RAM
  • Mechanism of Schoolyard Bully Trojan

In this malicious campaign mainly Vietnamese readers are targeted by the Schoolyard Bully Trojan and it tricks them by disguising itself as legitimate educational applications.

As far as the Facebook credentials are concerned, this trojan steals them using JavaScript injection. To steal the private information of the user, the Trojan opens the legitimate URL inside a WebView injected with the malicious javascript that extracts the user’s data from the browser.

Here the “evaluateJavascript” method is used to inject the Javascript into the WebView. With the help of the following IDs, the values of the elements are dragged by the javascript code:-

  • m_login_email
  • m_login_password

Several anti-virus programs and machine intelligence programs are unable to detect the malware because of its native libraries. For the purpose of storing C&C data, this trojan uses “libabc.so,” which is a native library. 

In addition to encoding the data, the strings are further hidden from detection mechanisms in order to maximize privacy. In a password-protected zip file, the malicious apps hide the C&C details as well as educational data. 

In addition to the password, some of the details related to the C&C system are also stored in libabc.so. Cybersecurity analysts have strongly recommended users to conduct a quick risk assessment of their Android devices to make sure they are not at risk from trojan malware.

In addition to those apps found by Zimperium’s researchers, Zimperium warns that there is probable to be more behind this campaign than the ones that have been reported.

Managed DDoS Attack Protection for Applications – Download Free Guide

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Coinbase Data Breach – Customers Personal Info, Government‑ID & Transaction Data Exposed

Coinbase, the largest cryptocurrency exchange in the United States, has disclosed a significant cybersecurity...

Inside Turla’s Uroboros Infrastructure and Tactics Revealed

In a nation-state cyber espionage, a recent static analysis of the Uroboros rootkit, attributed...

CISA Alerts on Five Active Zero-Day Windows Vulnerabilities Being Exploited

Cybersecurity professionals and network defenders, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has...

Intruder vs. Acunetix vs. Attaxion: Comparing Vulnerability Management Solutions

The vulnerability management market is projected to reach US$24.08 billion by 2030, with numerous...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Threat Actors Exploit Open Source Packages to Deploy Malware in Supply Chain Attacks

The Socket Threat Research Team has uncovered a surge in supply chain attacks where...

Xanthorox Emerging BlackHat AI Tool Empowering Hackers in Phishing and Malware Campaigns

Artificial intelligence platform named Xanthorox has emerged as a potent new tool for cybercriminals,...

Weaponized Google Calendar Invites Deliver Malicious Payload Using a Single Character

Security researchers have unearthed a sophisticated malware distribution method leveraging Google Calendar invites to...