A recently discovered Android Trojan was designed to gain root access on infected devices and hijack Facebook accounts by stealing cookies from the browser and the social media app.
Referred to as Cookiethief (Trojan-Spy.AndroidOS.Cookiethief), the Trojan features a package name similar to that of the Roblox Android gaming client, although it has nothing in common with it, Kaspersky’s security researchers reveal.
While it’s uncertain how the Trojan infects devices — it does not exploit flaws in the Facebook application or the browser — it achieves root by connecting with another backdoor installed on the smartphone, and passes it a shell command.
Called Bood, the backdoor launches a local server and executes the commands received from Cookiethief, Kaspersky has discovered.
Looking at the malware’s command and control (C&C) server, the security researchers found a page advertising services for sending spam on social networks and messengers, suggesting that this was the purpose of the cookie-theft operation.
“How can stealing cookies be dangerous? Besides various settings, web services use them to store on the device a unique session ID that can identify the user without a password and login. This way, a cybercriminal armed with a cookie can pass himself off as the unsuspecting victim and use the latter’s account for personal gain,” Kaspersky explains.
The researchers identified a second malicious application (Trojan-Proxy.AndroidOS.Youzicheng) featuring very similar coding and connecting to the same C&C server, which runs a proxy on the victim’s device.
This second app is presumably designed to bypass Facebook protections by establishing a proxy server on the victim’s device in an effort to hide the suspicious activity.
“By combining these two attacks, cybercriminals can gain complete control over the victim’s account and not raise a suspicion from Facebook. These threats are only just starting to spread, and the number of victims, according to our data, does not exceed 1000, but the figure is growing,” Kaspersky says.
The C&C server addresses and employed encryption keys show connections between Cookiethief and Trojans such as Sivu, Triada, and Ztorg. Such malware is often pre-installed on devices, or is installed via operating system vulnerabilities.
“As a result, a persistent backdoor like Bood, along with the auxiliary programs Cookiethief and Youzicheng, can end up on the device,” Kaspersky concludes.