The Schoolyard Bully Trojan, which targets Facebook users, has been around since 2018 and is now bullying Android users. Those who download apps from third party locations are especially vulnerable, but those downloading from the Play Store are also at risk. These malicious apps have been removed from the Play Store, but are still widely from third-party app vendors. They are smartly disguised as legitimate educational apps and books.
This is yet another reminder that downloading apps from unofficial sources is not a good idea. They don’t go through as much security screening as those that are scanned for the official Play Store, Apple App Store, or other official channels. Yes, they still may be malicious in some cases, but if they do make it past the scrutineering there, they are typically found out quickly and removed. On third party sites, this is often not the case.
A mobile threat research team from Zimperium zLabs found that the Trojan (that is designed to steal Facebook credentials) has to date affected 300,000 Android users in 71 countries, although the actual number is suspected to be much higher. This is due to the fact that the app can still be downloaded from an unknown number of third-party app stores.
The Facebook ecosystem is an attractive target for threat actors. There are currently approximately 2.96 billion monthly users on Facebook. And many of them use Facebook credentials to log into other websites. While using Facebook, Google, Apple, or other logins to get into other accounts is really convenient, it’s also very risky. Keep in mind that if someone gets your login information for those sites, they also have it for the other ones. It’s especially risky to use them for financial accounts or other sites with a lot of personally identifying information (PII). The end result is that stealing Facebook credentials can represent a serious threat to the financial accounts of these users.
Even though it might seem cumbersome and even annoying to have unique passwords for each account you use, it’s truly safer than doubling up. So, just avoid it. If you cannot remember them, try a couple of tricks. Write down the website and a clue to the password that might jog your memory. You can also just write them down, if you must. Just don’t keep them on your devices that are internet-connected. Old fashioned paper and pen works just fine. Lock that away out of sight and access it only when needed. As another option, there are many password managers, such as LastPass. But, if those experience an intrusion, as LastPass recently did, the attackers have access to all of your passwords.
Whatever you need to do, find a way to keep your passwords unique and secure and you can vastly reduce your risk of becoming a victim of identity or financial theft. And whatever you do, don't user your Facebook login credentials on any other website.