FlyTrap Android Malware Compromises Thousands of Facebook
Accounts - Zimperium
By Aazim Yaswant
Published: 2021-08-09 · Archived: 2026-04-05 12:39:22 UTC
A new Android Trojan codenamed FlyTrap has hit at least 140 countries since March 2021 and has spread to over
10,000 victims through social media hijacking, third-party app stores, and sideloaded applications.
Zimperium’s zLabs mobile threat research teams recently found several previously undetected applications using
Zimperium’s z9 malware engine and on-device detection. Following their forensic investigation, the zLabs team
determined this previously undetected malware is part of a family of Trojans that employ social engineering tricks
to compromise Facebook accounts.
Forensic evidence of this active Android Trojan attack, which we have named FlyTrap, points to malicious parties
out of Vietnam running this session hijacking campaign since March 2021. These malicious applications were
initially distributed through both Google Play and third-party application stores. Zimperium zLabs reported the
findings to Google, who verified the provided research and removed the malicious applications from the Google
Play store. However, the malicious applications are still available on third-party, unsecured app repositories,
highlighting the risk of sideloaded applications to mobile endpoints and user data.
Disclosure: As a key member of the Google App Defense Alliance, Zimperium scans applications prior to
publishing, as well as providing ongoing analysis of Android apps in the Google Play Store.
In this threat blog, we will:
Cover the capabilities of the FlyTrap Trojan;
Discuss the techniques used to collect and store data;
Demonstrate the communication with the C&C server to exfiltrate stolen data; and
Explore the victimology and impact.
What Can FlyTrap Trojan Do?
The mobile application poses a threat to the victim’s social identity by hijacking their Facebook accounts via a
Trojan infecting their Android device. The information collected from the victim’s Android device includes:
Facebook ID
Location
Email address
IP address
Cookie and Tokens associated with the Facebook account
https://www.zimperium.com/blog/flytrap-android-malware-compromises-thousands-of-facebook-accounts/
Page 1 of 6

These hijacked Facebook sessions can be used to spread the malware by abusing the victim’s social credibility
through personal messaging with links to the Trojan, as well as propagating propaganda or disinformation
campaigns using the victim’s geolocation details. These social engineering techniques are highly effective in the
digitally connected world and are used often by cybercriminals to spread malware from one victim to another.
How Does FlyTrap Trojan Work?
The threat actors made use of several themes that users would find appealing such as free Netflix coupon codes,
Google AdWords coupon codes, and voting for the best football (soccer) team or player. Initially available in
Google Play and third-party stores, the application tricked users into downloading and trusting the application
with high-quality designs and social engineering. After installation, the malicious application displays pages that
engage the user and asks for a response from them, such as the ones shown below.
Figures 1-6: The screens displayed upon installation and launch of the FlyTrap Trojans. 
The engagement continues until the user is shown the Facebook login page and asks to log in to their account to
cast their vote or collect the coupon code or credits. All this is just another trick to mislead the user since no actual
voting or coupon code gets generated. Instead, the final screen tries to justify the fake coupon code by displaying a
message stating that “Coupon expired after redemption and before spending.” The following images show one of
the applications’ UI navigation.
Figure 7-12: The graphical flow of the FlyTrap Trojans finally leading to the login page
Contrary to popular belief that a phishing page is always at the forefront for compromising or hijacking an
account, there are ways to hijack sessions even by logging into the original and legit domain. This Trojan exploits
one such technique known as JavaScript injection.
Using this technique, the application opens the legit URL inside a WebView configured with the ability to inject
JavaScript code and extracts all the necessary information such as cookies, user account details, location, and IP
address by injecting malicious JS code.
Figure 13: A code snippet containing the type of data to be exfiltrated to the C&C server
https://www.zimperium.com/blog/flytrap-android-malware-compromises-thousands-of-facebook-accounts/
Page 2 of 6

The manipulation of web resources is addressed as cross-principal manipulation (XPM) in the research “An
Empirical Study Of Web Resource Manipulation In Real-world Mobile Applications.” Successful login into
Facebook by the victim initiates the data exfiltration process and can be seen in the below screenshots of the
communication with the C&C server.
Figure 14,15: The exfiltrated cookie information matches the legitimate cookie
Several of the Trojans have the same malicious script and therefore identifies the source of data by the parameter
“from_app” as seen in the screenshots below.
Figure 16-18: The exfiltrated cookie information matches the legitimate cookie
The Command & Control server makes use of login credentials for authorizing access to the harvested data.
Security vulnerabilities in the C&C server expose the entire database of stolen session cookies to anyone on the
internet, further increasing the threat to the victim’s social credibility.
Figure 19: One of the Command & Control servers that stores hijacked sessions
The Victims of FlyTrap Trojan
The exposed database contains the geolocation information of several thousands of victims based on which, the
victimology map shown below was generated. The Zimperium zLabs mobile threat research team found over
10,000 victims across 144 countries to date, which illustrates the impact of the social engineering campaign.
https://www.zimperium.com/blog/flytrap-android-malware-compromises-thousands-of-facebook-accounts/
Page 3 of 6

Figure 20: Thousands of the victims are spread across 144 countries
Zimperium vs. FlyTrap Trojan
Zimperium zIPS customers are protected against FlyTrap Trojan with our on-device z9 Mobile Threat Defense
machine learning engine.
To ensure your Android users are protected from FlyTrap Trojan malware, we recommend a quick risk
assessment. Any application with FlyTrap will be flagged as a Suspicious App Threat inside zConsole. Admins
can also review which apps are sideloaded onto the device that could be increasing the attack surface and leaving
data and users at risk.
Summary of FlyTrap
Malicious threat actors are leveraging common user misconceptions that logging into the right domain is always
secure irrespective of the application used to log in. The targeted domains are popular social media platforms and
this campaign has been exceptionally effective in harvesting social media session data of users from 144
countries. These accounts can be used as a botnet for different purposes: from boosting the popularity of
pages/sites/products to spreading misinformation or political propaganda.
Just like any user manipulation, the high-quality graphics and official-looking login screens are common tactics to
have users take action that could reveal sensitive information. In this case, while the user is logging into their
official account, the FlyTrap Trojan is hijacking the session information for malicious intent.
FlyTrap is just one example of the ongoing, active threats against mobile devices aimed at stealing credentials.
Mobile endpoints are often treasure troves of unprotected login information to social media accounts, banking
applications, enterprise tools, and more. The tools and techniques used by FlyTrap are not novel but are effective
https://www.zimperium.com/blog/flytrap-android-malware-compromises-thousands-of-facebook-accounts/
Page 4 of 6

due to the lack of advanced mobile endpoint security on these devices. It would not take much for a malicious
party to take FlyTrap or any other Trojan and modify it to target even more critical information.
Indicators of Compromise
FlyTrap Trojan Android applications:
com.luxcarad.cardid : GG Voucher
com.gardenguides.plantingfree : Vote European Football
com.free_coupon.gg_free_coupon : GG Coupon Ads
com.m_application.app_moi_6 : GG Voucher Ads
com.free.voucher : GG Voucher
com.ynsuper.chatfuel : Chatfuel
Com.free_coupon.net_coupo    n : Net Coupon
com.movie.net_coupon : Net Coupon
com.euro2021 : EURO 2021 Official
00833ff71a1709e60cb04acbcc7ceecd56323e693de3c424fb37205204d43105
fa08c2ca7d8614be2b0b58095d0f3115464e9139bf5051c4f3da15963bb31062
30a3ad09199660baca6410a4ada290887390d9453d95eb1e84bdd984c89ecc3a
8e6c98b247a2bb34d5004c3f14d2cbf2a22c987f960e86c760d44766f9361c59
21b85beb9992fccb268fcef2904c5e6591a3c80b7fa8dd201e28782887fea2cb
d1cf14ccbc8f718111e59f9173475b2882dc6d1ca381ff3b726f2b471711aa7e
c4eed338a3449c57eb919eac9a41b5b5ca4d0223fda341005e68f5b673d745ad
3b0137302a6b93cc4dd4d0a58749fc959f8d9ad26d022d6b10dc3d7608af3279
3cd5cee4326d48c0b1f0c40d3b8f3e0d7ef7ef2b782afbe95e07a3d519ba5aee
1a3b448853479bf6b23d283bd44b0458132c3cda1648eac631dfdc178aee5ac0
5d671f5ed5e5855dc5727412b2a9293f42b7b5f31c3b924a30beacd8304863b6
64f4f085050294d064860d0c9e323bbf21cb4f66773944646a9eaf4eab49e115
8e2aa1a1a144f84511aafd76c83a23e33c3c107c914bb67761df32f6b68b6cf5
96b235bc715d6089a163ca212d1e752c26918b3d3b1acec5bdebbdd1b40c4b85
f8845f98ca1233b6db2ef44913a115f3093308846ba805aaaf21753d97e4219c
Command and Control Servers:
hxxp://47.57.237.26
hxxp://165.232.173.244:3023
hxxps://manage-ads.com
hxxp://quanlysanpham.work
About Zimperium
Zimperium, the global leader in mobile security, offers the only real-time, on-device, machine learning-based
protection against Android, iOS, and Chromebook threats. Powered by z9, Zimperium provides protection against
https://www.zimperium.com/blog/flytrap-android-malware-compromises-thousands-of-facebook-accounts/
Page 5 of 6

the device, network, phishing, and malicious app attacks. For more information or to schedule a demo, contact us
today.
Source: https://www.zimperium.com/blog/flytrap-android-malware-compromises-thousands-of-facebook-accounts/
https://www.zimperium.com/blog/flytrap-android-malware-compromises-thousands-of-facebook-accounts/
Page 6 of 6