Researchers from Kaspersky have discovered a new malware, dubbed Cookiethief, that uses a combination of exploits that gain root access, then steal Facebook cookies from Android devices. Cookies are small pieces of data that are used to track and identify users on the internet. Some cookies, such as those targeted by Cookiethief, are used to authenticate the user and if stolen, can be used to take over an account. Cookiethief’s first attack is to gain root access to an Android device, although Kaspersky isn’t quite sure how this is done yet. The malware connects to a command and control (C2) server and sends the stolen Facebook cookies. A second branch of the malware launches a proxy on the victim’s device to make access appear legitimate to Facebook’s servers since the connection is coming from the same device. By combining these attacks, attackers are capable of completely hijacking a victim’s Facebook account to distribute undesirable content.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is