A combination of new modifications to Android malware code has given rise to Trojans able to steal browser and app cookies from compromised devices.
On Thursday, researchers from Kaspersky said the new malware families, dubbed Cookiethief, use a combination of exploits to acquire root rights to an Android device and then to steal Facebook cookie data.
Cookies are tiny pieces of data that are collected by websites, online services, and mobile applications in order to track users. This information may be used for marketing purposes — including the creation of personalized content or ad recommendations — to track user engagement, or to compile wider datasets on consumers, such as their purchase patterns and interests.
Cookies are not generally considered harmful, albeit a nuisance and potentially privacy-eroding. However, when they are stored by websites and used to generate unique session IDs to allow users to stay logged in to a service, their loss may be a security risk.
Threat actors may be able to fool a website into believing they are legitimate account holders, leading to account compromise, data theft, and potentially hijacking. There are security measures that can prevent these scenarios; however, the new malware’s bag of tricks attempts to circumvent them.
Kaspersky isn’t entirely sure how Cookiethief has landed on devices already showing signs of infection — at the last count being roughly 1,000, a figure that is climbing — but once the Trojan does, the first stage of the attack is to acquire root rights on an Android mobile device.
In the cases documented by Kaspersky, Facebook cookies are the prime target. The team is keen to emphasize that there does not appear to be a vulnerability in the Facebook app or mobile browsers that permits the theft and malware intrusion.
The Bood backdoor is installed at the time of infection which connects to a command-and-control (C2) server and shell commands are passed for « superuser » command execution and cookie theft.
However, stealing cookies is not enough to gain Facebook account access, as any suspicious activity could result in accounts being automatically blocked. This is where Cookiethief’s second stage comes in.
During analysis, the team found a second branch of the malware with similar coding and the same C2 server connection. This malware launches a proxy on the victim device to make access requests appear legitimate.
« By combining these two attacks, cybercriminals can gain complete control over the victim’s account and not raise suspicion from Facebook, » the team says. « From there, the criminals can pose as the victim and take control of their social networking account to distribute undesirable content. »
The content in question is likely spam or the distribution of malicious links. A webpage stored on the fraudster’s C2 advertises social network account and messenger distribution services, and so the researchers believe the Trojan could be the result of efforts to spread spam and phishing attacks.
Kaspersky says that Cookiethief may also be connected to existing Trojans including Sivu, Triada, and Ztorg, which are generally embedded into firmware or deployed through operating system vulnerabilities.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0