Researchers from Kaspersky have discovered a new malware, dubbed Cookiethief, that uses a combination of exploits that gain root access, then steal Facebook cookies from Android devices. Cookies are small pieces of data that are used to track and identify users on the internet. Some cookies, such as those targeted by Cookiethief, are used to authenticate the user and if stolen, can be used to take over an account. Cookiethief’s first attack is to gain root access to an Android device, although Kaspersky isn’t quite sure how this is done yet. The malware connects to a command and control (C2) server and sends the stolen Facebook cookies. A second branch of the malware launches a proxy on the victim’s device to make access appear legitimate to Facebook’s servers since the connection is coming from the same device. By combining these attacks, attackers are capable of completely hijacking a victim’s Facebook account to distribute undesirable content.
Analyst Notes
Enabling multi-factor authentication (MFA) is usually one of the most effective methods of protecting against unauthorized access. Whenever it is offered it is recommended to be enabled, although even MFA would not protect against this type of account hijacking using stolen cookies. With the unknown nature of the infection, basic security precautions are emphasized. Do not download Android apps from websites or links received from text messages. Only install trustworthy and well-reviewed apps from Google Play or reputable sources.
To read more: https://www.zdnet.com/article/android-malware-tweaks-expose-devices-to-browser-app-cookie-theft/
