Wednesday, April 30, 2025
HomeAndroidCookiethief - Android Malware that Gains Root Access to Steal Browser &...

Cookiethief – Android Malware that Gains Root Access to Steal Browser & Facebook App Cookies

Published on

SIEM as a Service

Follow Us on Google News

Researchers uncovered a new powerful Android malware called “Cookiethief ” that lunched by unknown cybercriminals to steal cookies from the browsers and Facebook app by acquiring the root access on the victim’s Android device.

Losing cookies to cybercriminals is deadly dangerous since web services use them to store on the device a unique session ID that can identify the user without a password and log in.

Stolen cookies let hackers obtain the session of the websites and use it to access the victim’s account on behalf of them for personal gain.

- Advertisement - Google News

Cookiethief malware abusing the browser and Facebook app not because of the vulnerability, but malware could steal cookie files of any website from other apps and the same method used in the attack to steal the cookies.

Researchers believe that the Cookiethief malware possibly linked with widespread Trojans as Sivu, Triada, and Ztorg which all are a type of malware that exploits the OS vulnerabilities to get into the system folders.

A persistent backdoor like Bood, along with the auxiliary programs Cookiethief and Youzicheng, can end up on the device.

Cookiethief malware detects as “com.lob.roblox as HEUR:Trojan-Spy.AndroidOS.Cookiethief ., org.rabbit as HEUR:Trojan-Proxy.AndroidOS.Youzicheng, and Bood as HEUR:Backdoor.AndroidOS.Bood.a.

Cookiethief Infection Process

Initially, com.lob.roblox, a Package name of Cookiethief malware drop into the Android device that similar to that of the Roblox Android gaming client (com.roblox.client), but has nothing in common with Roblox.

Once it’s dropped, the malware connects to a backdoor installed on the same smartphone to execute the super command.

cookiethief
Malicious features of Trojan-Spy.AndroidOS.Cookiethief

Later it passes a Shell command for execution as a result, a backdoor called Bood will be dropped into a path /system/bin/.bood that helps to launch a local server and executes commands received from Cookiethief.

Researchers found a C2 server that used in this attack has a part of the advertising services for distributing spam on social networks and messengers, which makes it harder to predict the motivation of this malware attack on Android users.

According to Kaspersky’s research ” However, during our analysis of Cookiethief, we uncovered another malicious app with a very similar coding style and the same C&C server. The second “product” from (presumably) the same developers (detected as: Trojan-Proxy.AndroidOS.Youzicheng) runs a proxy on the victim’s device.”

This malicious app is believed to be used to bypass the security system on the relevant messenger or social network using a proxy server on the victim’s device to avoid the detection and request to the website will look like a request from a legitimate account.

To implement this method, an executable file is first downloaded and run on the targeted device.

These two attacks used by the attackers to avoid raising suspicion from Facebook and the attacker is now in the initial stage.

Indicators of Compromise

MD5

65a92baefd41eb8c1a9df6c266992730
f84a43b008a25ba2ba1060b33daf14a5
c907d74ace51cec7cb53b0c8720063e1
c9c252362fd759742ea9766a769dbabe
8312e7c626cac368f0bd79c9c8da5bd7

Also Read: New Krampus-3PC Malware Attacks iPhone Users to Steal Cookies and Redirects to Malicious Websites

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Trellix Launches Phishing Simulator to Help Organizations Detect and Prevent Attacks

Trellix, a leader in cybersecurity solutions, has unveiled its latest innovation, the Trellix Phishing...

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...

Researchers Reveal Threat Actor TTP Patterns and DNS Abuse in Investment Scams

Cybersecurity researchers have uncovered the intricate tactics, techniques, and procedures (TTPs) employed by threat...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

New WordPress Malware Disguised as Anti-Malware Plugin Takes Full Control of Websites

The Wordfence Threat Intelligence team has identified a new strain of WordPress malware that...

Konni APT Deploys Multi-Stage Malware in Targeted Organizational Attacks

A sophisticated multi-stage malware campaign, potentially orchestrated by the North Korean Konni Advanced Persistent...

Outlaw Cybergang Launches Global Attacks on Linux Environments with New Malware

The Outlaw cybergang, also known as “Dota,” has intensified its global assault on Linux...