Everyone loves cookies – including cybercriminals. Their tastes however can run to a different sort of cookie, as evidenced by a fresh strain of Android malware that may be implanted prior to users purchasing a device.
Appropriately dubbed “Cookiethief” by the Kaspersky researchers who discovered it, the trojan has a straightforward goal: “Its main task was to acquire root rights on the victim device, and transfer cookies used by the browser and Facebook app to the cybercriminals’ server,” explained Kaspersky researchers Anton Kivva and Igor Golovin, in an analysis on Thursday.
Armed with the siphoned-off cookies, crooks can gain access to unique session IDs that can identify the user to webpages and services, allowing instant access without a password and login. Thus, attackers can impersonate legitimate users and infiltrate accounts with little to no effort.
In this specific case, Cookiethief’s operators are bent on ad fraud, using the hijacked accounts to send out spam.
“On the [command-and-control] server we also found a page advertising services for distributing spam on social networks and messengers, so it was not difficult to guess the motive behind the cookie-theft operation,” the researchers said.
Cookiethief does not make use of any vulnerability in the Facebook application or browser itself to nab the goods. Instead, once it’s installed on the device, the malware connects to a related backdoor installed on the same smartphone, and sends it a shell command for superuser command execution, researchers explained. “The backdoor Bood, located at the path /system/bin/.bood, launches the local server…and executes commands received from Cookiethief,” they wrote.
Kaspersky noted that the malware can find its way onto a device either by being planted in the firmware somewhere along the supply chain, before purchase – or, it can use vulnerabilities in the Android OS to infiltrate system folders and download other applications.
“As a result, a persistent backdoor like Bood, along with the auxiliary programs Cookiethief [and others], can end up on the device,” according to the researchers, who added that they have seen both tactics being used before by related malware.
Cookiethief doesn’t have carte blanche to raid the cookie jar – cookie-based instant access to accounts is blocked by Facebook and other services if a user’s activity is deemed atypical – such as logging in from a new device or location.
The malware authors apparently have anticipated this hurdle though: Another app on the same C2 server, dubbed Youzicheng, can be used to run a proxy on the victim’s device.
“We believe that Youzicheng is tasked with bypassing the security systems of the relevant messenger or social network using a proxy server on the victim’s device,” the researchers said. “As a result, cybercriminals’ request to the website will look like a request from a legitimate account and not arouse suspicion.”
So far there are about 1,000 Cookiethief victims, according to Kaspersky, but the figure is growing.
Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.
