Security Experts:

Connect with us

Hi, what are you looking for?



‘Cookiethief’ Android Malware Hijacks Facebook Accounts

A recently discovered Android Trojan was designed to gain root access on infected devices and hijack Facebook accounts by stealing cookies from the browser and the social media app.

A recently discovered Android Trojan was designed to gain root access on infected devices and hijack Facebook accounts by stealing cookies from the browser and the social media app.

Referred to as Cookiethief (Trojan-Spy.AndroidOS.Cookiethief), the Trojan features a package name similar to that of the Roblox Android gaming client, although it has nothing in common with it, Kaspersky’s security researchers reveal.

While it’s uncertain how the Trojan infects devices — it does not exploit flaws in the Facebook application or the browser — it achieves root by connecting with another backdoor installed on the smartphone, and passes it a shell command.

Called Bood, the backdoor launches a local server and executes the commands received from Cookiethief, Kaspersky has discovered.

Looking at the malware’s command and control (C&C) server, the security researchers found a page advertising services for sending spam on social networks and messengers, suggesting that this was the purpose of the cookie-theft operation.

“How can stealing cookies be dangerous? Besides various settings, web services use them to store on the device a unique session ID that can identify the user without a password and login. This way, a cybercriminal armed with a cookie can pass himself off as the unsuspecting victim and use the latter’s account for personal gain,” Kaspersky explains.

The researchers identified a second malicious application (Trojan-Proxy.AndroidOS.Youzicheng) featuring very similar coding and connecting to the same C&C server, which runs a proxy on the victim’s device.

This second app is presumably designed to bypass Facebook protections by establishing a proxy server on the victim’s device in an effort to hide the suspicious activity.

“By combining these two attacks, cybercriminals can gain complete control over the victim’s account and not raise a suspicion from Facebook. These threats are only just starting to spread, and the number of victims, according to our data, does not exceed 1000, but the figure is growing,” Kaspersky says.

The C&C server addresses and employed encryption keys show connections between Cookiethief and Trojans such as Sivu, Triada, and Ztorg. Such malware is often pre-installed on devices, or is installed via operating system vulnerabilities.

“As a result, a persistent backdoor like Bood, along with the auxiliary programs Cookiethief and Youzicheng, can end up on the device,” Kaspersky concludes.

Related: Threat From Pre-Installed Malware on Android Phones is Growing

Related: Google Removes 600 Android Apps for Displaying Disruptive Ads

Related: App Found in Google Play Exploits Recent Android Zero-Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...