{ "id": "8514d750-6205-4ed5-a996-51e054d10ea5", "created_at": "2026-04-06T00:18:36.515308Z", "updated_at": "2026-04-10T03:30:33.380018Z", "deleted_at": null, "sha1_hash": "abf9fc4a0cf8dc1f12739a60e0207952f2bd5946", "title": "FlyTrap Android Malware Compromises Thousands of Facebook Accounts - Zimperium", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1365170, "plain_text": "FlyTrap Android Malware Compromises Thousands of Facebook\r\nAccounts - Zimperium\r\nBy Aazim Yaswant\r\nPublished: 2021-08-09 · Archived: 2026-04-05 12:39:22 UTC\r\nA new Android Trojan codenamed FlyTrap has hit at least 140 countries since March 2021 and has spread to over\r\n10,000 victims through social media hijacking, third-party app stores, and sideloaded applications.\r\nZimperium’s zLabs mobile threat research teams recently found several previously undetected applications using\r\nZimperium’s z9 malware engine and on-device detection. Following their forensic investigation, the zLabs team\r\ndetermined this previously undetected malware is part of a family of Trojans that employ social engineering tricks\r\nto compromise Facebook accounts.\r\nForensic evidence of this active Android Trojan attack, which we have named FlyTrap, points to malicious parties\r\nout of Vietnam running this session hijacking campaign since March 2021. These malicious applications were\r\ninitially distributed through both Google Play and third-party application stores. Zimperium zLabs reported the\r\nfindings to Google, who verified the provided research and removed the malicious applications from the Google\r\nPlay store. However, the malicious applications are still available on third-party, unsecured app repositories,\r\nhighlighting the risk of sideloaded applications to mobile endpoints and user data.\r\nDisclosure: As a key member of the Google App Defense Alliance, Zimperium scans applications prior to\r\npublishing, as well as providing ongoing analysis of Android apps in the Google Play Store.\r\nIn this threat blog, we will:\r\nCover the capabilities of the FlyTrap Trojan;\r\nDiscuss the techniques used to collect and store data;\r\nDemonstrate the communication with the C\u0026C server to exfiltrate stolen data; and\r\nExplore the victimology and impact.\r\nWhat Can FlyTrap Trojan Do?\r\nThe mobile application poses a threat to the victim’s social identity by hijacking their Facebook accounts via a\r\nTrojan infecting their Android device. The information collected from the victim’s Android device includes:\r\nFacebook ID\r\nLocation\r\nEmail address\r\nIP address\r\nCookie and Tokens associated with the Facebook account\r\nhttps://www.zimperium.com/blog/flytrap-android-malware-compromises-thousands-of-facebook-accounts/\r\nPage 1 of 6\n\nThese hijacked Facebook sessions can be used to spread the malware by abusing the victim’s social credibility\r\nthrough personal messaging with links to the Trojan, as well as propagating propaganda or disinformation\r\ncampaigns using the victim’s geolocation details. These social engineering techniques are highly effective in the\r\ndigitally connected world and are used often by cybercriminals to spread malware from one victim to another.\r\nHow Does FlyTrap Trojan Work?\r\nThe threat actors made use of several themes that users would find appealing such as free Netflix coupon codes,\r\nGoogle AdWords coupon codes, and voting for the best football (soccer) team or player. Initially available in\r\nGoogle Play and third-party stores, the application tricked users into downloading and trusting the application\r\nwith high-quality designs and social engineering. After installation, the malicious application displays pages that\r\nengage the user and asks for a response from them, such as the ones shown below.\r\nFigures 1-6: The screens displayed upon installation and launch of the FlyTrap Trojans. \r\nThe engagement continues until the user is shown the Facebook login page and asks to log in to their account to\r\ncast their vote or collect the coupon code or credits. All this is just another trick to mislead the user since no actual\r\nvoting or coupon code gets generated. Instead, the final screen tries to justify the fake coupon code by displaying a\r\nmessage stating that “Coupon expired after redemption and before spending.” The following images show one of\r\nthe applications’ UI navigation.\r\nFigure 7-12: The graphical flow of the FlyTrap Trojans finally leading to the login page\r\nContrary to popular belief that a phishing page is always at the forefront for compromising or hijacking an\r\naccount, there are ways to hijack sessions even by logging into the original and legit domain. This Trojan exploits\r\none such technique known as JavaScript injection.\r\nUsing this technique, the application opens the legit URL inside a WebView configured with the ability to inject\r\nJavaScript code and extracts all the necessary information such as cookies, user account details, location, and IP\r\naddress by injecting malicious JS code.\r\nFigure 13: A code snippet containing the type of data to be exfiltrated to the C\u0026C server\r\nhttps://www.zimperium.com/blog/flytrap-android-malware-compromises-thousands-of-facebook-accounts/\r\nPage 2 of 6\n\nThe manipulation of web resources is addressed as cross-principal manipulation (XPM) in the research “An\r\nEmpirical Study Of Web Resource Manipulation In Real-world Mobile Applications.” Successful login into\r\nFacebook by the victim initiates the data exfiltration process and can be seen in the below screenshots of the\r\ncommunication with the C\u0026C server.\r\nFigure 14,15: The exfiltrated cookie information matches the legitimate cookie\r\nSeveral of the Trojans have the same malicious script and therefore identifies the source of data by the parameter\r\n“from_app” as seen in the screenshots below.\r\nFigure 16-18: The exfiltrated cookie information matches the legitimate cookie\r\nThe Command \u0026 Control server makes use of login credentials for authorizing access to the harvested data.\r\nSecurity vulnerabilities in the C\u0026C server expose the entire database of stolen session cookies to anyone on the\r\ninternet, further increasing the threat to the victim’s social credibility.\r\nFigure 19: One of the Command \u0026 Control servers that stores hijacked sessions\r\nThe Victims of FlyTrap Trojan\r\nThe exposed database contains the geolocation information of several thousands of victims based on which, the\r\nvictimology map shown below was generated. The Zimperium zLabs mobile threat research team found over\r\n10,000 victims across 144 countries to date, which illustrates the impact of the social engineering campaign.\r\nhttps://www.zimperium.com/blog/flytrap-android-malware-compromises-thousands-of-facebook-accounts/\r\nPage 3 of 6\n\nFigure 20: Thousands of the victims are spread across 144 countries\r\nZimperium vs. FlyTrap Trojan\r\nZimperium zIPS customers are protected against FlyTrap Trojan with our on-device z9 Mobile Threat Defense\r\nmachine learning engine.\r\nTo ensure your Android users are protected from FlyTrap Trojan malware, we recommend a quick risk\r\nassessment. Any application with FlyTrap will be flagged as a Suspicious App Threat inside zConsole. Admins\r\ncan also review which apps are sideloaded onto the device that could be increasing the attack surface and leaving\r\ndata and users at risk.\r\nSummary of FlyTrap\r\nMalicious threat actors are leveraging common user misconceptions that logging into the right domain is always\r\nsecure irrespective of the application used to log in. The targeted domains are popular social media platforms and\r\nthis campaign has been exceptionally effective in harvesting social media session data of users from 144\r\ncountries. These accounts can be used as a botnet for different purposes: from boosting the popularity of\r\npages/sites/products to spreading misinformation or political propaganda.\r\nJust like any user manipulation, the high-quality graphics and official-looking login screens are common tactics to\r\nhave users take action that could reveal sensitive information. In this case, while the user is logging into their\r\nofficial account, the FlyTrap Trojan is hijacking the session information for malicious intent.\r\nFlyTrap is just one example of the ongoing, active threats against mobile devices aimed at stealing credentials.\r\nMobile endpoints are often treasure troves of unprotected login information to social media accounts, banking\r\napplications, enterprise tools, and more. The tools and techniques used by FlyTrap are not novel but are effective\r\nhttps://www.zimperium.com/blog/flytrap-android-malware-compromises-thousands-of-facebook-accounts/\r\nPage 4 of 6\n\ndue to the lack of advanced mobile endpoint security on these devices. It would not take much for a malicious\r\nparty to take FlyTrap or any other Trojan and modify it to target even more critical information.\r\nIndicators of Compromise\r\nFlyTrap Trojan Android applications:\r\ncom.luxcarad.cardid : GG Voucher\r\ncom.gardenguides.plantingfree : Vote European Football\r\ncom.free_coupon.gg_free_coupon : GG Coupon Ads\r\ncom.m_application.app_moi_6 : GG Voucher Ads\r\ncom.free.voucher : GG Voucher\r\ncom.ynsuper.chatfuel : Chatfuel\r\nCom.free_coupon.net_coupo    n : Net Coupon\r\ncom.movie.net_coupon : Net Coupon\r\ncom.euro2021 : EURO 2021 Official\r\n00833ff71a1709e60cb04acbcc7ceecd56323e693de3c424fb37205204d43105\r\nfa08c2ca7d8614be2b0b58095d0f3115464e9139bf5051c4f3da15963bb31062\r\n30a3ad09199660baca6410a4ada290887390d9453d95eb1e84bdd984c89ecc3a\r\n8e6c98b247a2bb34d5004c3f14d2cbf2a22c987f960e86c760d44766f9361c59\r\n21b85beb9992fccb268fcef2904c5e6591a3c80b7fa8dd201e28782887fea2cb\r\nd1cf14ccbc8f718111e59f9173475b2882dc6d1ca381ff3b726f2b471711aa7e\r\nc4eed338a3449c57eb919eac9a41b5b5ca4d0223fda341005e68f5b673d745ad\r\n3b0137302a6b93cc4dd4d0a58749fc959f8d9ad26d022d6b10dc3d7608af3279\r\n3cd5cee4326d48c0b1f0c40d3b8f3e0d7ef7ef2b782afbe95e07a3d519ba5aee\r\n1a3b448853479bf6b23d283bd44b0458132c3cda1648eac631dfdc178aee5ac0\r\n5d671f5ed5e5855dc5727412b2a9293f42b7b5f31c3b924a30beacd8304863b6\r\n64f4f085050294d064860d0c9e323bbf21cb4f66773944646a9eaf4eab49e115\r\n8e2aa1a1a144f84511aafd76c83a23e33c3c107c914bb67761df32f6b68b6cf5\r\n96b235bc715d6089a163ca212d1e752c26918b3d3b1acec5bdebbdd1b40c4b85\r\nf8845f98ca1233b6db2ef44913a115f3093308846ba805aaaf21753d97e4219c\r\nCommand and Control Servers:\r\nhxxp://47.57.237.26\r\nhxxp://165.232.173.244:3023\r\nhxxps://manage-ads.com\r\nhxxp://quanlysanpham.work\r\nAbout Zimperium\r\nZimperium, the global leader in mobile security, offers the only real-time, on-device, machine learning-based\r\nprotection against Android, iOS, and Chromebook threats. Powered by z9, Zimperium provides protection against\r\nhttps://www.zimperium.com/blog/flytrap-android-malware-compromises-thousands-of-facebook-accounts/\r\nPage 5 of 6\n\nthe device, network, phishing, and malicious app attacks. For more information or to schedule a demo, contact us\r\ntoday.\r\nSource: https://www.zimperium.com/blog/flytrap-android-malware-compromises-thousands-of-facebook-accounts/\r\nhttps://www.zimperium.com/blog/flytrap-android-malware-compromises-thousands-of-facebook-accounts/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.zimperium.com/blog/flytrap-android-malware-compromises-thousands-of-facebook-accounts/" ], "report_names": [ "flytrap-android-malware-compromises-thousands-of-facebook-accounts" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434716, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/abf9fc4a0cf8dc1f12739a60e0207952f2bd5946.pdf", "text": "https://archive.orkl.eu/abf9fc4a0cf8dc1f12739a60e0207952f2bd5946.txt", "img": "https://archive.orkl.eu/abf9fc4a0cf8dc1f12739a60e0207952f2bd5946.jpg" } }