This Android trojan has stolen over 300,000 Facebook accounts — how to stay safe

Facebook app on phone
(Image credit: Shutterstock)

Over 300,000 Android users have fallen victim to a newly discovered campaign that uses malicious apps to infect their devices with a trojan capable of hacking Facebook accounts.

According to a new report (opens in new tab) from Zimperium, the Schoolyard Bully Trojan has been active since 2018, though more recently cybercriminals are using seemingly innocent educational apps on the Google Play Store and third-party app stores to distribute it.

Facebook has over 2.96 billion monthly users, which is why attackers continue to target the platform, and this trojan is capable of stealing emails, phone numbers, passwords, IDs and full names from it. And since password reuse is still a major problem, stolen Facebook passwords can often be used to access users’ financial accounts.

Using malicious apps to target victims

Students in kitchen

(Image credit: Shutterstock)

In this latest campaign educational apps are being used to distribute the Schoolyard Bully Trojan, primarily to those in Vietnam, but users from 70 other countries have also been targeted.

These malicious apps – which have since been removed from the Play Store – contain a chat option, though users need to log into their Facebook account before they can use it. 

When a user tries to log in, Schoolyard Bully uses JavaScript injection to steal their Facebook credentials, which are then sent to a command and control (C&C) server operated by the attackers. The trojan is also able to evade antivirus software by using native libraries to store the C&C data. 

According to Zimperium, Android users in countries around the world including the U.S., Canada, Australia, Brazil, the UK, India and others have been targeted by Schoolyard Bully. However, the actual number of countries could be higher since these malicious apps can still be found in third-party app stores. 

How to stay safe from Android trojans and malware

In order to avoid having your Facebook and other credentials stolen by hackers, the first thing you should do is avoid installing apps from unofficial app stores and unknown sources. Sideloading apps is one of the many perks of being an Android user, but it can also be dangerous if you’re not careful.

You also want to ensure that Google Play Protect is enabled on your Android smartphone, as this built-in app can scan any new app you download as well as the other apps you have installed for malware. For additional protection, you might also want to consider using one of the best Android antivirus apps alongside it.

Finally, you need to think carefully before installing any new app on your devices. Sure, Google scans them for malware and viruses before they are uploaded to the Play Store, but bad apps occasionally manage to slip through the cracks. This is why you should read external reviews and look into an app’s developer before tapping the install button.

The Schoolyard Bully Trojan has been active for over four years now, during which time it successfully stole credentials from over 300,000 users. As such, this trojan will likely continue to be used by cybercriminals to steal passwords and accounts from unsuspecting users.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.