NewsOnline Security

Android Users Beware! There’s A Schoolyard Bully Roaming Around

Android users have been targeted by numerous attacks during 2022. Even if they downloaded applications from Google Play Store, cybercriminals managed to infiltrate it as well. Unfortunately, it’s getting worse as a new Android malware has been masquerading as reading and education apps – enter Schoolyard Bully.

Threat actors are bullies, and the name suits the malware perfectly. What seems like a harmless application can lead to a complete Facebook takeover. According to reports, it has already affected more than 300,000 devices across the world.

Schoolyard Bully is going global and it doesn’t seem to be stopping any time soon. How is it spreading? What data can it harvest? Here’s everything we know.

Schoolyard Bully – Give Me Your Credentials!

As we mentioned, Android users can’t seem to rest as cybercriminals keep targeting them with various campaigns. Google Play Store alone has been breached several times in 2022 spreading all sorts of malware families.

Two recent campaigns included adware that redirects users to malicious websites, leading to various practices such as ad fraud, data theft, and more.

What makes this worse is that the malware disguises itself as harmless applications such as cameras, currency/unit converters, QR code readers, note-taking apps, and the like.

In Schoolyard Bully’s case, these so-called “harmless” apps come in the form of reading and education apps. Based on Zimperium’s report, the campaign has infected more than 300,000 devices across 71 countries, with an extra focus on Vietnam.

Schoolyard Infection Map

It all starts when the victims download these fake applications. Once they launch one, it’ll open a very convincing Facebook-Login page. You can see how legit it looks in the following image.

Facebook Fake Login

This is where the malicious magic happens. The moment they enter their credentials, the malware will steal everything related to their Facebook account and device. This includes username, account ID, Facebook credentials, device name, device API, and device RAM.

Zimperium states that everything the user inputs gets harvested using WebView and through injecting malicious JavaScript to extract the user inputs.

“The javascript code extracts the value of elements with ‘ids m_login_email’ and ‘m_login_password,’ which are placeholders for the phone number, email address, and password.”
Bully Java

This campaign kicked off in 2018 and it also included applications on Google Play Store. Now, these ones have been removed, but remain available through third-party app stores.

In total, they’re 37 applications. Unfortunately, since they’re distributed through unknown sources, we can’t know how many downloads these malicious apps have harnessed. Things can get out of control in an instant.

A New Campaign – The Bully is Unknown

Zimperium states that no threat actor has claimed the attack, so it remains unknown who’s behind it. The Schoolyard Bully trojan is quite dangerous.

And if it continues on this path, things are going south pretty soon. Never download an application from an untrusted source. You never know when or where cybercriminals are lurking to infect your device. Stay safe.

Jonathan Beesly

Jonathan is the main author at He regularly publishes posts that aim to introduce better cyber-security practices to the masses.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Articles

Back to top button