The school bully hits Android: it’s a malware that steals Facebook accounts

been called “Schoolyard Bully”, literally the schoolyard bully, a Trojan that since 2018 has been trying to infect Android smartphones in order to extort the user’s Facebook login credentials, and other data. The news was released by Zimperiumwhich claims that the malware has affected at least 300,000 devices in 71 countries, including Italy.

Some apps used to spread the trojan were also distributed through the Google Play Store, however to date the official Android store has been completely cleaned up. Schoolyard Bully can still be installed on your device todaythrough apps made available on third-party stores.

Schoolyard Bully, the Android trojan has affected 300 thousand devices since 2018

The name Schoolyard Bully due to the behavior of the trojan, which tends to masquerade as a seemingly harmless educational app by hiding its main objective: to steal Facebook account credentials (email and password), account ID, username, and even the name and other sensitive data of the device.

Schoolyard Bully steals these details by loading a legitimate Facebook login page within the app through WebView, but at the same time injects malicious JavaScript code to extract user inputs. Specifically, through the “evaluateJavascript” method, the trojan extracts the values ​​entered in the “ids m_login_email” and “m_login_password” fields, thus obtaining the telephone number, e-mail address and password that the user uses to log in to Facebook.

The trojain also uses native libraries to hide the malicious code from security software and analysis tools. According to telemetry data held by Zimperium, the malware involved 300 thousand victims in 71 different countries, through 37 apps. These, however, have also been distributed on third-party download platforms, therefore likely that the number of “victims” is significantly higher. Furthermore, it cannot be excluded that the malware has also been inserted into other apps not yet discovered by Zimperium, with the actors behind the malware campaign still unknown today.