Zimperium, a mobile security firm, is warning of an Android trojan masquerading as reading and education apps that may have stolen Facebook credentials from at least 300,000 users across 71 countries, primarily in Vietnam, since 2018.
Zimperium has named the malware Schoolyard Bully Trojan, and it has been delivered via innocent-looking Android applications hosted on Google Play and various third-party app stores. Despite the fact that Google has removed the malware from its official app store, the malicious applications can still be found on other websites.
The malware hides from the majority of antivirus and machine learning virus detections by using native libraries, and it stores command and control data in a native library called libabc.so. The data is further encoded in order to conceal all of the strings from detection mechanisms.
The sources for this piece include an article in BleepingComputer.