Pierluigi Paganini March 13, 2020

Experts discovered an Android Trojan, dubbed Cookiethief, that is able to gain root access on infected devices and hijack Facebook accounts.

Security experts from Kaspersky recently discovered Android Trojan that was designed to gain root access on infected devices and hijack Facebook accounts by stealing cookies from the browser and the social media app.

“We recently discovered a new strain of Android malware. The Trojan (detected as: Trojan-Spy.AndroidOS.Cookiethief) turned out to be quite simple. Its main task was to acquire root rights on the victim device, and transfer cookies used by the browser and Facebook app to the cybercriminals’ server.” reads the analysis published by Kaspersky. “Malware could steal cookie files of any website from other apps in the same way and achieve similar results.”

The package name of the Cookiethief Trojan (com.lob.roblox) is similar to the one of the Roblox Android gaming client (com.roblox.client), but the two software have not common.

The malware doesn’t exploit any flaw in the Facebook app or the browser, the researchers explained that the malicious code achieves root privileges by connecting with another backdoor installed on the smartphone, then passes it a shell command for execution.

The backdoor, tracked as Bood, is located at the path /system/bin/.bood, it launches a local server and executes the command that the passed by the Cookiethief malware.

The analysis of the command and control (C&C) server revealed the presence of a page that advertises services for sending spam on social networks and messengers, a circumstance that suggests the motivation between the development of this malware.

“How can stealing cookies be dangerous? Besides various settings, web services use them to store on the device a unique session ID that can identify the user without a password and login.” continues Kaspersky. “This way, a cybercriminal armed with a cookie can pass himself off as the unsuspecting victim and use the latter’s account for personal gain.”

While analyzing Cookiethief, researchers also identified another malicious application, tracked as Trojan-Proxy.AndroidOS.Youzicheng, that connects the same C2 and that shows similar coding. This malicious app allows to run a proxy on the victim’s device, according to the experts is was designed to bypass Facebook protections.

“By combining these two attacks, cybercriminals can gain complete control over the victim’s account and not raise a suspicion from Facebook. These threats are only just starting to spread, and the number of victims, according to our data, does not exceed 1000, but the figure is growing,” continues the report.

The researchers believe that Cookiethief can be linked with other common Trojans, including Sivu, Triada, and Ztorg, some of them were discovered pre-installed on models of low-cost Android smartphones.

“As a result, a persistent backdoor like Bood, along with the auxiliary programs Cookiethief and Youzicheng, can end up on the device,” Kaspersky concludes.

Pierluigi Paganini

(SecurityAffairs – malware, Android)

[adrotate banner=”5″]

[adrotate banner=”13″]