Android malware has been spreading in the form of reading and education apps, which have been ongoing since 2018. The trojan has infected at least 300,000 devices from 71 countries, according to reports, with Vietnam taking in more hits than most. The malware could be found in Google Play, although it has already been taken down.
A Threat to Academics
Reports say that it has already been taken down from Google Play, but the trojan can still spread through third-party Android app stores. Since the malware targets users who download educational apps, it was named "Schoolyard Bully" by Zimperium. The malware can steal Facebook account credentials, account ID, username, device name, device RAM, and device API.
The app, once downloaded, will display a window asking for users to log in on Facebook by using WebView. It will then send out a trojan using JavaScript injection and extract information from the user. Phone numbers, email addresses, and passwords are specifically accessed using codes like "ids m_login_email" and "m_login_password."
The 300,000 victims of 37 infected apps were estimated using telemetry data. However, it's harder to pinpoint an approximation due to the mode of distribution, which has moved on to third-party app stores, as mentioned in Bleeping Computer. This means that there could be way more victims than what was initially reported.
About the Malware
Aside from continuing the infection using other app stores, it's also able to hide from the majority of antivirus as it uses native libraries to hide. It appears in the same form as a native library called "libabc.so." which stores C&C data. The educational data can only be accessed using a password since the file is in ZIP format, which can be found in "libabc.so" as well.
Zimperium found a hacker group called FlyTrap, with Vietnamese hackers behind it. FlyTrap also targets Vietnamese readers, just like the Schoolyard Bully malware. However, researchers determined that both are two different campaigns and that they operate independently.
If you look at the command and control servers and find these, it could indicate that the app is malicious:
https://bigdata-habn.firebaseio.com
https://bigdata2-habn.firebaseio.com
https://bigdata3-habn.firebaseio.com
Here are some of the application names found by researchers. In the event that you find these in third-party app stores, steer clever of them:
Cẩm Nang Lớp 8 Offline - Giải Bài Tập & Ôn Luyện
Cẩm Nang Lớp Offline - Giải Bài Tập & Ôn Luyện
Cẩm Nang Địa Lý Offline - Giải Bài Tập & Ôn Luyện
Giải Bài Tập 7 Offline Toán Văn Anh Lý Sinh Sử Địa
Cẩm Nang Ngữ Văn Offline - Soạn Văn & Văn Mẫu
Giải Toán 6,7,8,9,10,11,12
Giải Tin Học 6,7,8,9,10,11,12
Giải Bài Tập 6 Offline Toán Văn Anh Lý Sinh Sử Địa
Mê Đọc Truyện
Mọt Truyện
Nghe Truyện Ngắn, Ngôn Tình, Kiếm Hiệp Audio Hay
Giải Vật Lý 6,7,8,9,10,11,12
Giải Tiếng Anh 6,7,8,9,10,11,12