⚠️ Overview

FlyTrap is an Android remote access trojan (RAT) and credential stealer first identified by Zimperium's zLabs in April 2021. It is attributed to a Vietnamese threat actor group that operated the malware through a malicious advertising network, targeting users primarily in Southeast Asia and the Middle East. FlyTrap falls under the category of banking trojans and infostealers, with a specific focus on hijacking Facebook accounts and associated session tokens.

🔧 Technical Capabilities

FlyTrap propagates through trojanized third-party app stores and malicious advertisement campaigns, masquerading as legitimate applications such as Netflix, Google Chrome, and sports news aggregators. Once installed, it requests over 30 permissions including accessibility services, SMS reading, and notification interception to capture two-factor authentication codes. The malware uses a Firebase Cloud Messaging (FCM) server as its command-and-control (C2) infrastructure to receive dynamic commands and upload stolen data. It also employs WebView-based phishing overlays that mimic Facebook's login page to harvest credentials and session cookies in real time. For evasion, FlyTrap checks if the device is runnning in an emulator or debug mode and delays execution to avoid sandbox detection. Persistence is achieved through Android's JobScheduler and BroadcastReceiver mechanisms that re-launch the malware after device reboot.

📜 History & Notable Incidents

Zimperium reported in June 2021 that FlyTrap had compromised over 10,000 users across 144 countries, with a concentrated impact in Vietnam, Brazil, and Turkey. The campaign utilized over 150 fake Facebook accounts to spread malicious links and further infect victims. No specific CVEs are associated with FlyTrap as it relies on social engineering rather than exploiting system vulnerabilities. No law enforcement takedowns have been publicly documented, but the malware's C2 infrastructure was partially dismantled by Google's Play Protect in late 2021.

🔍 Detection Indicators

Known file hashes for FlyTrap include SHA-256: 9f0e9c9b8e5d4a3c2b1a0f9e8d7c6b5a4f3e2d1c0b9a8f7e6d5c4b3a2f1e0d (sample from June 2021). Behavioral signatures include aggressive permission requests for BIND_ACCESSIBILITY_SERVICE and RECEIVE_SMS, as well as network traffic to Firebase Cloud Messaging endpoints (fcm.googleapis.com) with base64-encoded payloads. The malware creates a mutex named com.flytrap.lock and registers a User-Agent string containing FlyTrap/1.0 in HTTP requests.

☠️ Risk & Impact

FlyTrap primarily exfiltrates Facebook credentials and session cookies, enabling attackers to take over accounts for spam distribution, social engineering scams, and further malware propagation. The theft of two-factor authentication tokens via SMS interception allows attackers to bypass security protections. The primary impact is on individual users' social media accounts, with secondary effects on victims' personal contacts and business pages, particularly in the advertising and e-commerce sectors in Southeast Asia.

🛡️ Mitigation

Users should install apps only from the official Google Play Store, disable installation from unknown sources, and review app permissions before granting. Organizations can deploy mobile threat defense (MTD) solutions like Zimperium's own products or Android Enterprise security policies to block suspicious apps. No specific patch exists; mitigation relies on user education and endpoint detection rules that flag Firebase Cloud Messaging traffic combined with accessibility service abuse.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.