Subscribe Us


In the wild, a new simple yet dangerous strain of Android malware has been found to steal users authentication cookies installed on compromised devices from the web browsing and other applications, including Chrome and Facebook.

Kaspersky researchers dubbed "cookiethief," Trojan is active through the acquisition on a target device of superuser root rights, and subsequently pass stolen cookies to a remote attacker control server (C2).

"This technique of aggression is not feasible because the Facebook program or browser itself is vulnerable," Kaspersky researchers said. Malware can steal cookies from other websites in the same way and achieve similar results from any other device.

Cookies are small pieces of information often used by websites to discriminate between users, provide consistency to the Internet, monitor browsing sessions through various websites, serve customized content and strings relating to specific ads.

Because cookies on a computer allow users to log in without repeated registration to a service, Cookiethief seeks to make use of that activity itself, so that attackers can access the victims ' accounts unauthorized without knowing their actual passwords. "An assailant with a cookie can therefore be the unsuspected target and use the latter's personal benefit account, " Researcher said.

It is assumed that the Trojan will land on the computer in a number of ways, including planting such malware in the firmware before buying, or exploiting vulnerabilities in the operating system to access malicious applications.

When the app is compromised, it connects to the backdoor, named' Bood,' installed on the same smartphone to run the commands of the superuser, allowing cookies to be stolen.

However, the malware cookiethief doesn't have everything simple. Facebook provides for security measures to block unusual attempts to connect to its network by, for example, IP addresses, computers and browsers which were never used before.

However, the bad actors tried to solve the problem by taking advantage of the second malware program, named' Youzicheng,' which generates a proxy server to impersonate the geographical location of the account's owner to legitimize access requests.  "By combining these two assaults, we can get full control of the victim's account without any doubt,' said the researcher.

The attackers have not yet come to the conclusion that the criminals could use Cookiethief to take over user social media accounts to spread bad links or to continue phischic attacks, but they considered a place in the C2 server advertising services. spam was spread to social networks and tweets.  While Kaspersky found the assault to be a new threat— with around 1,000 people attacking them in this way — he cautioned that this number "grows" in view of the difficulty in the detection of such intrusions.

Post a Comment

Previous Post Next Post