Connect with us

Hi, what are you looking for?



‘Cookiethief’ Android Malware Hijacks Facebook Accounts

A recently discovered Android Trojan was designed to gain root access on infected devices and hijack Facebook accounts by stealing cookies from the browser and the social media app.

A recently discovered Android Trojan was designed to gain root access on infected devices and hijack Facebook accounts by stealing cookies from the browser and the social media app.

Referred to as Cookiethief (Trojan-Spy.AndroidOS.Cookiethief), the Trojan features a package name similar to that of the Roblox Android gaming client, although it has nothing in common with it, Kaspersky’s security researchers reveal.

While it’s uncertain how the Trojan infects devices — it does not exploit flaws in the Facebook application or the browser — it achieves root by connecting with another backdoor installed on the smartphone, and passes it a shell command.

Called Bood, the backdoor launches a local server and executes the commands received from Cookiethief, Kaspersky has discovered.

Looking at the malware’s command and control (C&C) server, the security researchers found a page advertising services for sending spam on social networks and messengers, suggesting that this was the purpose of the cookie-theft operation.

“How can stealing cookies be dangerous? Besides various settings, web services use them to store on the device a unique session ID that can identify the user without a password and login. This way, a cybercriminal armed with a cookie can pass himself off as the unsuspecting victim and use the latter’s account for personal gain,” Kaspersky explains.

The researchers identified a second malicious application (Trojan-Proxy.AndroidOS.Youzicheng) featuring very similar coding and connecting to the same C&C server, which runs a proxy on the victim’s device.

This second app is presumably designed to bypass Facebook protections by establishing a proxy server on the victim’s device in an effort to hide the suspicious activity.

Advertisement. Scroll to continue reading.

“By combining these two attacks, cybercriminals can gain complete control over the victim’s account and not raise a suspicion from Facebook. These threats are only just starting to spread, and the number of victims, according to our data, does not exceed 1000, but the figure is growing,” Kaspersky says.

The C&C server addresses and employed encryption keys show connections between Cookiethief and Trojans such as Sivu, Triada, and Ztorg. Such malware is often pre-installed on devices, or is installed via operating system vulnerabilities.

“As a result, a persistent backdoor like Bood, along with the auxiliary programs Cookiethief and Youzicheng, can end up on the device,” Kaspersky concludes.

Related: Threat From Pre-Installed Malware on Android Phones is Growing

Related: Google Removes 600 Android Apps for Displaying Disruptive Ads

Related: App Found in Google Play Exploits Recent Android Zero-Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.