Experts found a new strain of Android malware in the wild that steals users’ authentication cookies from Facebook accounts.
Security experts from Kaspersky discovered the Android Trojan. They revealed that the Cookiethief malware uses a combination of exploits to gain root access on infected devices and hijack Facebook accounts and dubbed it as Cookiethief.
“We recently discovered a new strain of Android malware. The Trojan turned out to be quite simple. Its main task was to acquire root rights on the victim device, and transfer cookies used by the browser and Facebook app to the cybercriminals’ server.” Kaspersky explained in an analysis. “Malware could steal cookie files of any website from other apps in the same way and achieve similar results.”
“This abuse technique is possible not because of a vulnerability in the Facebook app or browser itself,” researchers said. “Malware could steal cookie files of any website from other apps in the same way and achieve similar results.”
What are cookies?
Cookies are tiny pieces of information that are collected by websites to differentiate one user from another and track users for marketing purposes.
Cookies allow users to stay logged in to a service without having to repeatedly sign in. Cookiethief aims to exploit this very behavior to let attackers gain unauthorized access to the victim accounts without knowing their actual online accounts passwords.
The malicious code achieves root privileges by connecting with another backdoor installed on the smartphone. It then passes it a shell command for execution. “The backdoor Bood, located at the path /system/bin/.bood, launches the local server…and executes commands received from Cookiethief,” wrote the researchers.
There are security measures that can prevent these scenarios;
Facebook has security measures in place to block any suspicious login attempts; such as from IP addresses, devices, and browsers that had never been used for logging into the platform before. However, the new malware has worked around the problem by leveraging the second piece of malware app, named Youzicheng. The app was designed to bypass Facebook protections.
“By combining these two attacks, cybercriminals can gain complete control over the victim’s account and not raise suspicion from Facebook. These threats are only just starting to spread, and the number of victims, according to our data, does not exceed 1000, but the figure is growing,” continues the report.
“As a result, a persistent backdoor like Bood, along with the auxiliary programs Cookiethief and Youzicheng, can end up on the device,” Kaspersky concludes.
Secure Your Organization’s Mind with Securemind.se