Cookiethief Android Malware Employs Web Cookies to Hijack Facebook Accounts

When you get yourself a new phone, perhaps you think about what protective casing you should get. Or maybe you focus on setting up the new device and transferring data from the old one right away. Once you do that, you are likely to sign into all of your accounts, restore app data, and try out that new and improved camera that comes with a new phone. For most people, getting a new phone is a joyous experience, but it is not all fun and games. Before you start using and enjoying your new device, you need to secure it by implementing legitimate antimalware and password management tools. You also need to set up strong authentication to prevent others from accessing your device, and perhaps even encrypt the device to ensure that no one can obtain private information even if you lose the phone or its gets stolen. Unfortunately, even the smallest cracks in security could aid cybercriminals.

The Cookiethief trojan threatens the security of Android users

You might already know what web cookies are or at least that they exist. You can read more about web cookies in this report, but what you really need to know right now is that cookies are small text files stored on your device that contain information about websites, apps, and your interaction with them. For example, web cookies used by Facebook “store and receive identifiers and other information on computers, phones, and other devices.” As discussed in Facebook’s cookies policy, they are used for the purposes of authentication, security, product integrity, advertising, enabling site functions, performance, analytics, and research. Our recommendation is that you always review how cookies are used before you start using a new service or install new software and extensions. That is because some cookies are more intrusive than others, and some service providers can exploit them in undesirable ways.

The devious Cookiethief trojan has been successfully employed to steal web cookies to gather information that should make it possible to bypass Facebook authentication without user’s consent. Basically, this Android malware hijacks Facebook accounts if it gets the chance to do it. According to Anton Kivva and Igor Golovin at SecureList, Cookiethief does not exploit known browser or Facebook vulnerabilities to steal web cookie data. Instead, they have found a way to crack open unprotected devices and drop malware that can successfully help attackers gain control to execute commands that make it possible to steal web cookies. As described by SecureList experts, Cookiethief uses a malicious backdoor named Bood that needs to be installed on the device already. This backdoor launches a local server and executes the commands that Cookiethief sends it. The point is to help the trojan acquire root rights on the targeted device, and using these rights, the attackers can transfer cookies from the installed browser and Facebook app to the server. If that is done successfully, the trojan can steal web cookie files.

According to the researchers who uncovered this malicious Cookiethief trojan, the attackers behind it use the stolen web cookie data to take over accounts. This Android malware hijacks Facebook accounts pretty seamlessly because it does that without alerting the integrated security systems. How does that work? It is believed that another infection, known as Trojan-Proxy.AndroidOS.Youzicheng, is involved. This malware runs a proxy on the infected device, and it is meant to bypass security systems. This should confuse the account’s monitoring tool and make it think that the login request is sent from the account and not some remote server. This additional trojan – and researchers believe that it belongs to the same attackers – has to download a malicious executable file on the device, request proxy configuration, and then run the file. If all goes according to plan, the attackers can use stolen web cookie data to uncover session ID tokens that make it possible to log into an account without passwords and usernames silently.

Why does Cookiethief need access to your Facebook accounts, and where does it come from?

It is hard to say how the malicious Cookiethief trojan got onto your device, but there are two probable scenarios. First of all, your Android device might have been vulnerable at some point. Vulnerabilities within Android OS and even certain apps can expose security cracks, through which backdoors like Bood can jump in. The same vulnerabilities can be used by Cookiethief and Youzicheng trojans too. Note that security vulnerabilities could also be exposed by malicious apps that you could download yourself from unreliable sources. The second scenario of how the dangerous web cookie-stealing trojan could have slithered in is more vicious. If you have purchased your Android phone from an individual or suspicious website – rather than an official vendor or trusted distributor – it is possible that the trojan and the backdoor could have been implanted before you even saw the device.

When Cookiethief was analyzed, researchers accessed its C&C server, and the information found suggests that the malicious Android malware hijacks Facebook accounts with the purpose of spreading spam messages. That means that your Facebook account could be taken over to make public posts and send direct messages via the Messenger app on your behalf. All kinds of misleading posts and messages could be sent with your name attached to them (example 1, example 2, example 3), and this could expose your friends, family members, and colleagues to financial scams, malware, and further account hijacking

How to protect yourself

How secure your Android device is depends on what you do with it from the get-go. If you buy it from a friend or a family member, perhaps you are safe. However, if you are trusting someone you do not know or a suspicious, unfamiliar vendor, you need to be cautious. Once the new device is in your hands, you need to take good care of it. If you focus on securing the device, updating the installed apps, implementing security tools, and enabling all available security features, your chances of evading Cookiethief are higher. Without a doubt, you do not want to download apps from unfamiliar sources either. We suggest sticking to the Play Store, but keep in mind that even this source is not void of malware.

While it may not matter much how strong your passwords are when it comes to threats like Cookiethief, remember that there are tons of other threats that could prey on weak, easy-to-crack passwords. If you do not want to be a victim of those threats, we suggest taking care of password security also. Our advice is to implement the Cyclonis Password Manager. Hopefully, if you are cautious, you will not need to worry about dangerous Android malware hijacking your Facebook account any time soon or ever.

By Foley
June 8, 2020
June 8, 2020

Leave a Reply