The Schoolyard Bully Trojan is a malware campaign that targets Android applications to get into victims’ devices and steal their Facebook logins. This article shares the Schoolyard Bully Trojan, how it works, its capabilities, and how you can stay protected against it.

A novel Android threat campaign is affecting over 300,000 individuals in over 70 countries. Dubbed the “Schoolyard Bully Trojan,” this threat targets the Facebook login credentials of its victims by impersonating educational applications on the official Google Play Store.

With a huge victim base and potential to harm millions, this shares the details of the Schoolyard Bully Trojan, whether it is connected to the FlyTrap Trojan, and how you can protect yourself.


Schoolyard Bully Trojan at a Glance

The Trojan was analyzed and discovered by Zimperium zLabs, who revealed that the cyber threat had been found in numerous applications on the Google Play Store since 2018. Also present on third-party app stores, the Schoolyard Bully Trojan appears as an educational application offering study materials, books, and topics for individuals to read and has hidden malicious code designed to steal its victims’ Facebook credentials and exfiltrate them to the threat actor-controlled C2 (Command and Control) server on Firebase.

This Trojan’s threat is significant as it can compromise social media accounts and misuse information for spear phishing, impersonation, scamming, and data sale. Where Google has removed the malicious applications from its Play Store, these are still available on third-party application stores, so it is imperative to know about the Trojan to protect yourself.


How Does the Schoolyard Bully Trojan Work?

The Schoolyard Bully Trojan is a sophisticated one that operates stealthily. Here is how it works:

Trojan Disguise

The Trojan disguises itself as an educational application that offers books and study materials. The threat appeared as a non-suspicious application and targeted Vietnamese readers during the initial days of the campaign.



Credential Stealing

The Schoolyard Trojan utilizes Javascript injection to steal login credentials of Facebook from its victims by opening up authentic URLs (Uniform Resource Locators) inside a WebView. The Javascript is injected using a special method which extracts the values of the elements within the page, such as “m_login_email” for the victim’s email and similar ones for their password and phone numbers. The Trojan exfiltrates the victim’s phone number, email address, and password and sends it to the threat actor’s Firebase C2 server.

Furthermore, the Trojan also utilizes native libraries that help it evade the detection of popular antivirus programs and ML (Machine Learning) tools. The stolen and educational data are stored in a password-protected ZIP file in a separate library with the C2 server details. Apart from name and login credentials, the Trojan also steals the following:

  •   Device Name
  •   Device RAM (Random Access Memory)
  •   Device API (Application Programming Interface)


Capabilities of the Schoolyard Bully Trojan

The Trojan is designed to steal Facebook login credentials, a social media giant with accounts connected to third-party websites and its own Messenger and Instagram.



Taking over an individual’s Facebook account will allow the threat actors to assume their identity and impersonate said victims to spread their malicious campaign and target their close friends and family.

As outlined by Director of Mobile Threat Intelligence at Zimperium, Richard Melick, “Attackers can cause a lot of havoc by stealing Facebook passwords; if they can impersonate someone from their legitimate Facebook account, it becomes extremely easy to phish friends and other contacts into sending money or sensitive information.”


Chained Account Compromise

By compromising the Facebook account of an individual, the threat actors behind the malware can easily access full names, email addresses, phone numbers, and passwords. If a threat actor gains access to an individual’s Facebook account in this digital age, the havoc they can cause is unfathomable.

Melick also spoke on this, outlining, “It’s also very concerning how many people reuse the same passwords. If an attacker steals someone’s Facebook password, there’s a high probability that the same email and password will work with banking or financial apps, corporate accounts, and so much more.”



In a time when nearly 64% of individuals reuse passwords, the cyber threat can affect the accounts and lives of millions worldwide, having affected well over 300,000 already. Having access to an individual’s private data, the threat actors can easily impersonate said individuals during phishing campaigns and target their relatives for scams.


Threat Actors Behind the Schoolyard Bully Trojan

The threat actors behind the Trojan were suspected to be the same ones behind FlyTrap, an Android malware that targeted Facebook accounts and was distributed by Vietnamese cybercriminals. With multiple common interests of both lining up, questions behind the threat actor were rising.

FlyTrap Trojan Details

The FlyTrap Trojan has been around since March of 2021 and has affected thousands in over 140 countries. The Trojan was also distributed via third-party app stores and infected victims’ devices and collected their Facebook IDs, location, email addresses, IP (Internet Protocol) addresses, and cookies and tokens associated with said Facebook accounts.

The FlyTrap Trojan spreads malware by using its victims’ profiles and social media credibility to send personal messages to others to spread the Trojan further by social engineering. However, Zimperium zLabs’ report clarifies that the threat actors behind both campaigns are different, and the one behind the Schoolyard Bully Trojan is yet to be unmasked.


How to Protect Against Malware and Malicious Applications?

There are many steps that individuals can take to protect against the Schoolyard Bully Trojan and similar malware. These are:

  1. Official Downloads: You should always download applications from official sites and application stores. Since applications can bypass Google Play Store’s security checks, you should double-check all applications and uncheck any boxes that ask for additional third-party downloads during installation.
  2. Malware Checks: You should check your device for malware regularly. To do this, go to the Google Play Store app and navigate to Menu > Play Protect > Scan. This will scan your Android device for malware and give you options for its removal.
  3. Anti-Malware Applications: Even if Google Play Store provides malware checks, you could benefit from another reliable anti-malware tool and phishing protection software to safeguard your phone against malicious downloads and malware. These tools are efficient and can easily detect threats and aid in removing them effectively.



Final Words

With countless headlines in the cyber security world highlighting malicious applications disguised as fake security tools and impersonating genuine ones to dupe victims, internet users need to learn the lesson of always going for genuine applications instead of third-party ones. On the other hand, it falls onto Google to improve its authentications and implement robust policies so malicious apps on its Play Store can be stopped.

The Schoolyard Bully Trojan campaign might come to an end. Still, similar Trojans and digital threats will not stop, which is why individuals need to focus on security and follow the above steps to keep malware at bay.