Savvy cybercriminals often use social engineering to try to trick people into installing malware or revealing sensitive information. A malicious campaign uncovered by mobile security provider Zimperium found malicious Android apps that employed social engineering tactics to gain access to the Facebook accounts of their victims.

SEE: Top Android security tips (free PDF) (TechRepublic)

Initially available through both Google Play and third-party stores, the malicious apps have surfaced in at least 140 countries since March 2021, hitting more than 10,000 victims, Zimperium said in a Monday blog post. After Zimperium informed Google of the apps in question, the company removed them from Google Play. However, they’re still accessible on third-party stores, which means they’re a threat for users who sideload apps from unofficial sources.

The apps work by delivering an Android trojan that Zimperium codenamed FlyTrap. The attackers start by getting people to download the apps through the use of high-quality graphics and accurate login screens.

After being installed, the apps try to engage users by displaying come-ons designed to arouse your interest. These include a Netflix coupon code, a Google AdWords code, and a promo asking you to vote for your favorite soccer team for the UEFA Euro 2020 games.

Users who engage with one of the come-ons are then shown the Facebook login page and asked to sign into their account to collect the coupon code or cast their vote. Of course, no actual code or voting takes place. Instead, a message pops up saying that the coupon expired and is no longer valid.

With access to a victim’s Facebook account, the trojan then goes into action by opening a legitimate URL and using a bit of JavaScript injection. Injecting malicious JavaScript code, the trojan is able to access and extract the user’s Facebook account details, location, IP address and cookies. As an additional threat, the Command & Control server operated by the attackers contains security flaws that expose all of the stolen session cookies to anyone on the internet.

“This is a nifty combination of a handful of vulnerabilities,” said Setu Kulkarni, VP of strategy for app security provider NTT Application Security. “The human vulnerability to click before you think, a software vulnerability to allow JS injection, the abundance of metadata open to access location, and finally the implicit trust that can be gained by clever yet dubious association with the likes of Google, Netflix, etc. The concerning bit is the network effect this type of trojan can generate by spreading from one user to many.”

To help Android users protect themselves against such malicious apps, Richard Melick, Zimperium’s director of product marketing for endpoint security, offers a few tips:

Avoid installing mobile apps from unofficial sources. Though Google removed some of the malicious apps from its Google Play store, many are still available through third-party stores and social media where they can quickly spread. As such, users should avoid sideloading any apps or installing them from untrusted sources. Apps accessible this way likely have not been run through security scans and could more easily contain malicious code.

Be vigilant about the activity and requests of mobile apps. Be aware that if you grant an app’s request to connect to one of your social media accounts, the app will have full access and control to certain key information.

Remove any suspicious apps. If you believe an app may be putting your data at risk, delete it from your device immediately. If you added the app on Facebook, follow the company’s instructions for removing the app and your associated data.

Editor’s note: This article has been updated with additional comment.