Zimperium zLabs has discovered a new Android threat campaign, the Schoolyard Bully Trojan, which has been active since 2018. The campaign has spread to over 300,000 victims and is specifically targeting Facebook credentials. The Schoolyard Bully Trojans have been found in numerous applications that were downloaded from the Google Play Store and third-party app stores.
Disguised as the good guy, these malicious apps known as the “Schoolyard Bully Trojan” are camouflaged as legitimate, educational applications with a wide range of books and topics for their victims to read. Malicious code was hidden within these apps, but in reality, they were capable of stealing Facebook credentials to upload to threat actors’ Firebase C&C. Even though these apps have now been removed from Google Play Store, they are still available on third-party app stores waiting to shake down their next student victim.
Disclosure: As a key member of the Google App Defense Alliance, Zimperium scans applications before publishing and provides an ongoing analysis of Android apps in the Google Play Store.
In this blog, we will:
Cover the capabilities of this Trojan
Discuss the technique used to steal Facebook credentials
Explore the impact
What Can The Schoolyard Bully Trojan Do?
Facebook reaches nearly 2.96 billion monthly users and continues to be the number one social media platform. As attackers leverage the Schoolyard Bully Trojan to gain unauthorized access to credentials, they have far more success accessing financial accounts. Nearly 64% of individuals use the same password that was exposed in a previous breach. With the percentage of users recycling passwords, it is no surprise the Schoolyard Bully Trojan has been active for years.
The Schoolyard Bully Trojan can steal the following information from the Facebook account of their unsuspecting victims:
Email / Phone Number
Password
ID
Name
How Does The Schoolyard Bully Trojan Work?
The Schoolyard Bully Trojan is stealthy and disguises itself as educational applications, primarily targeting Vietnamese readers. Below are the screenshots of four such trojans. It is clear from the figure how the attackers are using non-suspicious applications to target their victims. The Facebook login activity is located in the chat (Trò Chuyện) option.
Figure 1: Homescreen of malicious apps
This trojan uses Javascript injection to steal the Facebook credentials. The Trojan opens the legitimate URL inside a WebView with the malicious javascript injected to extract the user’s phone number, email address and password, then sends it to the configured Firebase C&C.
Figure 2: Facebook Webview
Figure 3: Javascript injected
Javascript is injected into the WebView using evaluateJavascript method as shown in Figure 3. The javascript code extracts the value of elements with ids m_login_email and m_login_password which are placeholders for phone number, email address, and password (Figure 4).
Figure 4: m_login_email and m_login_password ids
The malware uses native libraries to hide from the majority of antivirus and machine learning virus detections. This trojan uses the same technique with a native library named libabc.so to store the C&C data. The data is further encoded, to hide all the strings from any detection mechanisms. Apart from hiding its C&C details, these applications hide the educational data in a password protected zip. The password is also stored in libabc.so along with the C&C details.
Figure 5 shows the decoding function and Figure 6 shows the encoded data. To decode the data, it is simply split by 3 and the returned string is converted from binary to ASCII/UTF-8. The decoded data (Figure 7) is a JSON object which is then parsed.
Figure 5: Decode function
Figure 6: Encoded Data
Figure 7: Decoded Data
Figure 8: Mapping of json in Java
After injecting and executing the Javascript, the credentials are stored in f480d and f481e (Figure 3). This data is then sent to ABC.f15496h which is SEVER_BIGDATA2 (Figure 7 and 8).
There is another function which sends some more information about the victim on the SEVER_BIGDATA C&C server:
Name on Facebook Profile
Facebook ID
Facebook Email/Phone Number
Facebook Password
Device Name
Device API
Device RAM
Figure 9: C&C communication code – 1
Figure 9: C&C communication code – 2
The Threat Actors
Zimperium zLabs researchers previously covered a campaign dubbed FlyTrap that found several applications created and distributed by Vietnamese threat actors. The Schoolyard Bully Trojan campaign also reveals its common interest to be exploiting Vietnamese readers. However, our researchers have determined that the threat actors of the two campaigns are different and operate independently based on the differences found in the code samples.
The Victims of Schoolyard Bully Trojan
Although the primary victim group is Vietnamese users, the Zimperium zLabs mobile threat research team found over 300,000 victims across 71 countries, illustrating the broader-reaching geographic impact of this campaign. The actual number of countries could be more than what was accounted for because the applications are still being found in third-party app stores.
Zimperium vs. Schoolyard Bully Trojan
Zimperium zIPS customers are protected against the Schoolyard Bully Trojan with our on-device z9 Mobile Threat Defense machine learning engine. Zimperium’s patented on-device detection provides advanced security and protection against device, network, network, app, and web threats, keeping both personal and enterprise data private and secure.
To ensure your Android users are protected from the trojan malware, we recommend a quick risk assessment. Any application with the trojan will be flagged as a “Suspicious App Threat” inside zConsole. Admins can also review which apps are sideloaded onto the device that could be increasing the attack surface and leaving data and users at risk.
Indicators of Compromise
Command and Control Servers
https://bigdata-habn.firebaseio.com
https://bigdata2-habn.firebaseio.com
https://bigdata3-habn.firebaseio.com
Package Names And Application Names
Package Names
Application Names
com.handbook.class8
Cẩm Nang Lớp 8 Offline – Giải Bài Tập & Ôn Luyện
com.handbook.class7
Cẩm Nang Lớp 7 Offline – Giải Bài Tập & Ôn Luyện
com.handbook.class9
Cẩm Nang Lớp 9 Offline – Giải Bài Tập & Ôn Luyện
com.handbook.dia
Cẩm Nang Địa Lý Offline – Giải Bài Tập & Ôn Luyện
com.handbook.class11
Cẩm Nang Lớp 11 Offline – Giải Bài Tập & Ôn Luyện
com.habn.giaibaitap7
Giải Bài Tập 7 Offline Toán Văn Anh Lý Sinh Sử Địa
com.handbook.ly
Cẩm Nang Vật Lý Offline – Giải Bài Tập & Ôn Luyện
com.handbook.class12
Cẩm Nang Lớp 12 Offline – Giải Bài Tập & Ôn Luyện
com.handbook.sinh
Cẩm Nang Sinh Học Offline – Giải Bài Tập &Ôn Luyện
com.handbook.soanvan
Cẩm Nang Ngữ Văn Offline – Soạn Văn & Văn Mẫu
com.habn.giaibaitaptoan
Giải Toán 6,7,8,9,10,11,12
com.habn.giaibaitaptin
Giải Tin Học 6,7,8,9,10,11,12
com.habn.giaibaitap6
Giải Bài Tập 6 Offline Toán Văn Anh Lý Sinh Sử Địa
com.habn.webtruyen
Mê Đọc Truyện
com.habn.giaibaitap10
Giải Bài Tập 10 Offline Toán Văn Anh Lý Hóa Sử Địa
com.habn.giaibaitapdia
Giải Địa Lý 6,7,8,9,10,11,12
com.habn.giaibaitapsinh
Giải Sinh Học 6,7,8,9,10,11,12
com.habn.giaibaitapsu
Giải Lịch Sử 6,7,8,9,10,11,12
com.habn.sstruyen
Mọt Truyện
com.habn.storyngontinh
Yêu Đọc Truyện Ngôn Tình Tiên Hiệp Online Offline
com.habn.giaibaitapcongnghe
Giải Công Nghệ 6,7,8,9,10,11,12
com.habn.audio
Nghe Truyện Ngắn, Ngôn Tình, Kiếm Hiệp Audio Hay
com.habn.giaibaitaply
Giải Vật Lý 6,7,8,9,10,11,12
com.habn.giaibaitap9
Giải Bài Tập 9 Offline Toán Văn Anh Lý Sinh Sử Địa
com.habn.giaibaitap12
Giải Bài Tập 12 Offline Toán Văn Anh Lý Hóa Sử Địa
com.habn.giaibaitapenglish
Giải Tiếng Anh 6,7,8,9,10,11,12
com.habn.giaibaitap3
Giải Bài Tập 3 Offline Toán Văn Anh
com.habn.giaibaitap4
Giải Bài Tập 4 Offline Toán Văn Anh Sử Địa
com.habn.giaibaitap8
Giải Bài Tập 8 Offline Toán Văn Anh Lý Sinh Sử Địa
com.habn.giaibaitap11
Giải Bài Tập 11 Offline Toán Văn Anh Lý Hóa Sử Địa
com.handbook.class10
Cẩm Nang Lớp 10 Offline – Giải Bài Tập & Ôn Luyện
com.habn.soanvan
Soạn Văn 6,7,8,9,10,11,12
com.habn.giaibaitaphoa
Giải Hóa Học 8,9,10,11,12
com.handbook.english
Cẩm Nang Tiếng Anh Offline – Giải Bài Tập Ôn Luyện
com.handbook.su
Cẩm Nang Lịch Sử Offline – Giải Bài Tập & Ôn Luyện
com.handbook.hoa
Cẩm Nang Hóa Học Offline – Giải Bài Tập & Ôn Luyện