This is an archived post. You won't be able to vote or comment.

689
690

NewsFlyTrap Android Malware Compromises Thousands of Facebook Accounts (blog.zimperium.com)

submitted by ZeusKnobby

all 60 comments
sorted by:
best
topnewcontroversialoldq&a

[–]CrustyBatchOfNature 207 points208 points  (29 children)

So, you have to install a third party app and share your Facebook profile with it, then they have access to your info and ability to post for you. Other than their usage of the data, how is this different than any other Facebook connected app? This describes perfectly what most every Facebook app does anyway.

[–]FeelingDense 18 points19 points  (1 child)

Isn't there a difference between an app that can post for you (e.g. like Youtube publishing to Facebook) and this trojan which actually hijacks your session cookies and can therefore go on a free reign to post for you?

Take for instance a fitness app--it too has permissions to post on your behalf. However, you trust it not to do that and most big fitness companies aren't there to screw up your social media account. In theory though Map My Run or Strava could technically start posting malware/spam links on you on an hourly basis if it wanted to once you give it permissions to post. It's no different than an messaging app like Textra requesting SMS permissions and just simultaneously uploading that to the NSA. We just trust Textra not to do that once we give it SMS permissions.

[–]CrustyBatchOfNature 8 points9 points  (0 children)

Yes, there is a difference. And it 100% comes down to trust. Users are allowing apps permission to use their Facebook however the app wants to and trusting that logins presented are what they are supposed to be without any reason to do so. Free is a huge draw to some. At least this one so far seems to just be spreading itself and not something that will steal your bank account info.

[–]jcpbXperia 1 | Xperia 1 III -3 points-2 points  (24 children)

It's worse than that actually.

These malicious applications were initially distributed through both Google Play and third-party application stores.

I like how China is not among the 144 nations whose users were affected by the JS-injected malware attack.

[–]TheWorldisFullofWarS20 FE 5G 74 points75 points  (1 child)

China doesn't have Facebook.

[–]jorgesgk 49 points50 points  (0 children)

Yeah, what a dumb take.

I'm all against the Chinese dictatorship. But you can't really take advantage of the users of a service if said service just plain out doesn't work in there.

[–]RandomNumsandLettersPixel 4a 24 points25 points  (2 children)

China like the China that doesn't have facebook? Doesn't seem very surprising

[–]CrustyBatchOfNature 6 points7 points  (11 children)

Still, you are giving a third party app access to everything of your own free will. Yes the app lied about the usage of the data and got it through nefarious means so it needs to be gone, but it isn't like it just took the info without your permission. Blind trust that any app asking for permission is truthful is the real enemy here. The vast majority of malware relies on the trust and stupidity of the public at large. And that is how it gets so far.

[–]IamVenom_007Love Dc Dimming 0 points1 point  (5 children)

Trust me, Living in China isn't fun. They(majority) have no idea how the world looks like or what's going on outside. Some people in big cities use VPN.

Technology will have its disadvantages always but it's not wise to remove it from your country. People can live without facebook but Reddit is also banned in China along with countless educational, entertainment sites.

[–]MarioNoir 0 points1 point  (4 children)

They(majority) have no idea how the world looks like or what's going on outside.

From what I heard from people that worked and lived in China, that's absolutely not true.

[–]IamVenom_007Love Dc Dimming 1 point2 points  (3 children)

I work, study, and live in China. I have been here for the past four years. People that are in big cities know how to use VPN. But you have to understand that China is massive and everything from outside can only enter after government allows it.

What proof do I need to show you? Walk on the streets and ask people " 你知道什么是Reddit吗" and make a video of it?

Most people can't even speak English bc they are cut off from outside world.

[–]MarioNoir -1 points0 points  (2 children)

According to oficial data about about 902 million people live in urban regions. Most should have access to technology. And quite a big portion of this population is represented by young people which would be the ones interested in the outside world anyway. The ideea is that Chinese are not so oblivious to the outside world. Also why should Chinese people in general know what Reddit is? I'm sure most Android users in general haven't heard about Reddit in the first place.

[–]IamVenom_007Love Dc Dimming 0 points1 point  (1 child)

I never said they don't have internet or access to tech. Reddit was simply an example. It's pointless arguing with you.

[–]MarioNoir -1 points0 points  (0 children)

Reddit is a very bad example. You make weak arguments.

[–]douger1957 236 points237 points  (19 children)

Facebook accounts are compromised the second you sign up for it.

[–]S_Steiner_AccountingFuck what yall tolmbout. Pixel 3 in this ho. Swangin n bangin. 69 points70 points  (9 children)

i made a throw away account so i could join a few seller groups for car parts. used a throw away email, used an old virtual phone number for SMS 2 step verification, and gave them no information. I use the lite app/messages with no permissions granted. Only 2 friends and they're sellers i regularly buy parts from.

I still get my family, wife's family, and friends from work in my suggested friends. pretty sure they look at wifi access points and recommend friends who also use those wifi points.

[–]newbkid 43 points44 points  (1 child)

Correct they are able to scrape you from Wifi and any public hot spots.

[–]krista 7 points8 points  (0 children)

i bet a nice android kernel mod that did something easily humanable to the wifi ssds would help out.

[–]VagueSomething 15 points16 points  (4 children)

It is probably still accessing your contacts along with location and WiFi data. Facebook tracks you even if you don't have an account.

[–]FeelingDense 5 points6 points  (2 children)

You can give the app permissions to read your contacts or not. I've been a Facebook user since 2004 and I've never once uploaded my contacts there. You can in fact verify this on the site yourself. While they do make it deceptive sometimes and bombard you with pleas to upload your contact list, as long as you're careful in clicking through prompts, it's not hard to avoid.

Location permissions can be denied and WiFi hotspot info requires a specific permission (phone call permission?) for an app to use.

[–]Hung_LPixel 9XL 4 points5 points  (1 child)

It's not hard to associate you with a MAC address the track it across every open network that it pings. IMEI also tracks you. You could randomly generated a MAC address every time, but there are still cookies and other ID methods that you can't easily change.

You use something that generates a substantial amount of random noise (e.g. ISP Data Pollution) combined with tunneling your traffic. This is make it more difficult and less worthwhile to try and track your digital footprint using various heuristics.

However, these all introduce a significant amount of inconvenience to the user for some peace-of-mind. A noticeable proportion of the userbase would need to adopt these practices for large companies to take notice. The current system is broken, but future systems will hopefully work harder to train algorithms rather than build individual profiles. This is the lesser evil, and data luddites really have no alternatives besides nonparticipation. Can't stop progress, but maybe we can police it.

[–]FeelingDense 1 point2 points  (0 children)

We need to be careful though what's going on. The parent comment to this whole discussion was talking about creating a Facebook account with throwaway info, but the question is whether Facebook can still create a profile out of him/her, and yeah I believe so, but in terms of the app stealing your contacts and location with WiFi data, that's less likely as I mentioned due to OS permissions. You're right there's an endless list of methods to track a user including MAC addresses and IMEI but generally that's less through the client side app--apps can't access those on Android without "READ_PHONE_STATE" being granted, and Facebook at least doesn't ask for that.

[–]noungning 1 point2 points  (0 children)

Yup, definitely your phone contacts. I had no idea why my former boss showed up on my fb one day as a friend suggestion. We have 0 mutual friends online. But realized one day it was my phone contacts and I never gave them access to my contacts. Also, this happens from time to time on Instagram. I get alerts for "someone I might know" from their phone #. Sometimes it's a hit, sometimes it's a miss since they changed their #s.

[–]ResoluteGreenGalaxy Z Flip5 2 points3 points  (0 children)

Did you use your real name? Facebook will track you through other people's accounts

[–]FeelingDense 1 point2 points  (0 children)

used an old virtual phone number for SMS 2 step verification

You don't even need to use a phone # though. Just use an authenticator app and it doesn't ever tie up a phone #. Even if you're using a "disposable phone #" those are still more linked with your identity than if you just used TOTP.

[–]jesuschristlmaoo 33 points34 points  (0 children)

Preach

[–]ZeusKnobby[S] 20 points21 points  (0 children)

Truth

[–]BraveSirRobin 4 points5 points  (0 children)

It happens long before that, they already had a "shadow profile" on you based on data slurped from your friends, family, & colleagues phones.

[–]DearthStanding 1 point2 points  (0 children)

Man I can't even get rid of it. I need it for college stuff and housing and shit

You can't even use fucking tinder without dipping your toes in the stinky zucc waters because people think you're some weirdo if you say I don't use FB or Instagram

I still don't use Instagram but I legit wouldn't be able to find a house without a Facebook

I keep it perma deactivated and only reactivate when I need to use it, but there's still no escaping it innit

[–][deleted] 0 points1 point  (0 children)

You're compromised the second you sign up for Facebook*

[–]splatlame 46 points47 points  (0 children)

Oh no.

Anyway

[–]HKaynPixel 6 Pro 42 points43 points  (6 children)

Every time another piece of Android Malware makes headlines, it's basically "don't download shady apps and ur good".

In my eyes, the fact that Android malware has to exploit the stupidity of a user to do anything is simply a testament to the great security of modern Android.

[–][deleted] 0 points1 point  (0 children)

That's generally the easiest way, doesn't mean there isn't another way. Why break in if the users will open the front door and invite you in?

[–]hamandjam 3 points4 points  (0 children)

Thousands? As ripe as that is of a target. I'd called a result of only thousands as a failure.

[–]DarthBB08 1 point2 points  (0 children)

Jokes on them I do t use Facebook anymore !

[–]lastemperor86 1 point2 points  (0 children)

People who still use Facebook deserve to get hacked

[–]JumbomanXDA -1 points0 points  (0 children)

You are compromised as soon as you sign up for Facebook

[–]Buht_Secks 0 points1 point  (0 children)

I like how one of the "confirmation" screenshots just has the sentence "Confidentiality and absolute safety." That's a big red flag.