Monday, March 4, 2024

Cookiethief – Android Malware that Gains Root Access to Steal Browser & Facebook App Cookies

Researchers uncovered a new powerful Android malware called “Cookiethief ” that lunched by unknown cybercriminals to steal cookies from the browsers and Facebook app by acquiring the root access on the victim’s Android device.

Losing cookies to cybercriminals is deadly dangerous since web services use them to store on the device a unique session ID that can identify the user without a password and log in.

Stolen cookies let hackers obtain the session of the websites and use it to access the victim’s account on behalf of them for personal gain.

Cookiethief malware abusing the browser and Facebook app not because of the vulnerability, but malware could steal cookie files of any website from other apps and the same method used in the attack to steal the cookies.

Researchers believe that the Cookiethief malware possibly linked with widespread Trojans as Sivu, Triada, and Ztorg which all are a type of malware that exploits the OS vulnerabilities to get into the system folders.

A persistent backdoor like Bood, along with the auxiliary programs Cookiethief and Youzicheng, can end up on the device.

Cookiethief malware detects as “com.lob.roblox as HEUR:Trojan-Spy.AndroidOS.Cookiethief ., org.rabbit as HEUR:Trojan-Proxy.AndroidOS.Youzicheng, and Bood as HEUR:Backdoor.AndroidOS.Bood.a.

Cookiethief Infection Process

Initially, com.lob.roblox, a Package name of Cookiethief malware drop into the Android device that similar to that of the Roblox Android gaming client (com.roblox.client), but has nothing in common with Roblox.

Once it’s dropped, the malware connects to a backdoor installed on the same smartphone to execute the super command.

Malicious features of Trojan-Spy.AndroidOS.Cookiethief

Later it passes a Shell command for execution as a result, a backdoor called Bood will be dropped into a path /system/bin/.bood that helps to launch a local server and executes commands received from Cookiethief.

Researchers found a C2 server that used in this attack has a part of the advertising services for distributing spam on social networks and messengers, which makes it harder to predict the motivation of this malware attack on Android users.

According to Kaspersky’s research ” However, during our analysis of Cookiethief, we uncovered another malicious app with a very similar coding style and the same C&C server. The second “product” from (presumably) the same developers (detected as: Trojan-Proxy.AndroidOS.Youzicheng) runs a proxy on the victim’s device.”

This malicious app is believed to be used to bypass the security system on the relevant messenger or social network using a proxy server on the victim’s device to avoid the detection and request to the website will look like a request from a legitimate account.

To implement this method, an executable file is first downloaded and run on the targeted device.

These two attacks used by the attackers to avoid raising suspicion from Facebook and the attacker is now in the initial stage.

Indicators of Compromise



Also Read: New Krampus-3PC Malware Attacks iPhone Users to Steal Cookies and Redirects to Malicious Websites


Latest articles

US Court Orders NSO Group to Handover Code for Spyware, Pegasus to WhatsApp

Meta, the company that owns WhatsApp, filed a lawsuit against NSO Group in 2019....

New SSO-Based Phishing Attack Trick Users into Sharing Login Credentials  

Threat actors employ phishing scams to trick individuals into giving away important details like...

U.S. Charged Iranian Hacker, Rewards up to $10 Million

The United States Department of Justice (DoJ) has charged an Iranian national, Alireza Shafie...

Huge Surge in Ransomware-as-a-Service Attacks targeting Middle East & Africa

The Middle East and Africa (MEA) region has witnessed a surge in ransomware-as-a-service (RaaS)...

New Silver SAML Attack Let Attackers Forge Any SAML Response To Entra ID

SolarWinds cyberattack was one of the largest attacks of the century in which attackers...

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...

20 Million+ Cutout.Pro User Records Leaked On Hacking Forums

CutOut.Pro, an AI-powered photo and video editing platform, has reportedly suffered a data breach,...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles