Geeks for your information Security Security Vendors Kaspersky Kaspersky Security Blog v
Cookiethief: a cookie-stealing Trojan for Android
Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Cookiethief: a cookie-stealing Trojan for Android
harlan4096 Offline
MalWare Zoo Team
*******
Posts: 13,086
Threads: 8,948
Thanks Received: 8,809 in 6,968 posts
Thanks Given: 9,679
Joined: 12 September 18
#1
Bug  14 March 20, 08:59
Quote:
[Image: sl_cookiethief_02.png]

We recently discovered a new strain of Android malware. The Trojan (detected as: Trojan-Spy.AndroidOS.Cookiethief) turned out to be quite simple. Its main task was to acquire root rights on the victim device, and transfer cookies used by the browser and Facebook app to the cybercriminals’ server. This abuse technique is possible not because of a vulnerability in Facebook app or browser itself. Malware could steal cookie files of any website from other apps in the same way and achieve similar results.

How can stealing cookies be dangerous? Besides various settings, web services use them to store on the device a unique session ID that can identify the user without a password and login. This way, a cybercriminal armed with a cookie can pass himself off as the unsuspecting victim and use the latter’s account for personal gain.

Package name of the Cookiethief malware — com.lob.roblox, which is similar to that of the Roblox Android gaming client (com.roblox.client), but has nothing in common with Roblox.

To execute superuser commands, the malware connects to a backdoor installed on the same smartphone…

…and passes it a shell command for execution.

The backdoor Bood, located at the path /system/bin/.bood, launches the local server…

…and executes commands received from Cookiethief.

On the C&C server we also found a page advertising services for distributing spam on social networks and messengers, so it was not difficult to guess the motive behind the cookie-theft operation.

But there’s still a hurdle for the spammers that prevents them from gaining instant access to accounts just like that. For example, if Facebook detects an atypical user activity, the account may be blocked.

However, during our analysis of Cookiethief, we uncovered another malicious app with a very similar coding style and the same C&C server. The second “product” from (presumably) the same developers (detected as: Trojan-Proxy.AndroidOS.Youzicheng) runs a proxy on the victim’s device.

We believe that Youzicheng is tasked with bypassing the security systems of the relevant messenger or social network using a proxy server on the victim’s device. As a result, cybercriminals’ request to the website will look like a request from a legitimate account and not arouse suspicion.

To implement this method, an executable file is first downloaded.
...
Continue Reading
[-] The following 1 user says Thank You to harlan4096 for this post:
  • silversurfer
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
Brave 1.67.116
Release Notes 1.67...harlan4096 — 07:26
CrystalDiskInfo 9.3.1 [2024/06/15]
9.3.1 ​ Added A...harlan4096 — 07:24
Adobe Acrobat Reader DC (24.002.20854)
Adobe Acrobat Read...harlan4096 — 07:22
GFYI [Official] EaseUS Todo Backup Home...
"Share feedback...dhruv2193 — 15:36
Brave 1.67.115
Release Channel 1....harlan4096 — 10:12

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
avatar (37)Tedscolo
avatar (44)brakasig
avatar (43)JamesReshy
avatar (45)Francisemefe
avatar (38)leoniDup
avatar (37)Patrizaancem
avatar (37)biobdam
avatar (38)storoBox
avatar (46)kinotHeemn
avatar (37)Ceballos1976
avatar (38)efynu

[-]
Online Staff
There are no staff members currently online.

>