Geeks for your information Security Security Vendors Kaspersky Kaspersky Security Blog v
Cookiethief: a cookie-stealing Trojan for Android
Cookiethief: a cookie-stealing Trojan for Android
harlan4096 Offline
MalWare Zoo Team
*******
Posts: 16,169
Threads: 10,270
Thanks Received: 9,342 in 7,488 posts
Thanks Given: 10,307
Joined: 12 September 18
#1
Bug  14 March 20, 08:59
Quote:
[Image: sl_cookiethief_02.png]

We recently discovered a new strain of Android malware. The Trojan (detected as: Trojan-Spy.AndroidOS.Cookiethief) turned out to be quite simple. Its main task was to acquire root rights on the victim device, and transfer cookies used by the browser and Facebook app to the cybercriminals’ server. This abuse technique is possible not because of a vulnerability in Facebook app or browser itself. Malware could steal cookie files of any website from other apps in the same way and achieve similar results.

How can stealing cookies be dangerous? Besides various settings, web services use them to store on the device a unique session ID that can identify the user without a password and login. This way, a cybercriminal armed with a cookie can pass himself off as the unsuspecting victim and use the latter’s account for personal gain.

Package name of the Cookiethief malware — com.lob.roblox, which is similar to that of the Roblox Android gaming client (com.roblox.client), but has nothing in common with Roblox.

To execute superuser commands, the malware connects to a backdoor installed on the same smartphone…

…and passes it a shell command for execution.

The backdoor Bood, located at the path /system/bin/.bood, launches the local server…

…and executes commands received from Cookiethief.

On the C&C server we also found a page advertising services for distributing spam on social networks and messengers, so it was not difficult to guess the motive behind the cookie-theft operation.

But there’s still a hurdle for the spammers that prevents them from gaining instant access to accounts just like that. For example, if Facebook detects an atypical user activity, the account may be blocked.

However, during our analysis of Cookiethief, we uncovered another malicious app with a very similar coding style and the same C&C server. The second “product” from (presumably) the same developers (detected as: Trojan-Proxy.AndroidOS.Youzicheng) runs a proxy on the victim’s device.

We believe that Youzicheng is tasked with bypassing the security systems of the relevant messenger or social network using a proxy server on the victim’s device. As a result, cybercriminals’ request to the website will look like a request from a legitimate account and not arouse suspicion.

To implement this method, an executable file is first downloaded.
...
Continue Reading
[-] The following 1 user says Thank You to harlan4096 for this post:
  • silversurfer
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
Is the CCNA 200-301 Exam Best?
The CCNA 200-301 is ...jacklim — 11:34
QOwnNotes
26.4.11  The Leav...Kool — 08:01
MRG Effitas - Consumer Assessment & Cert...
MRG Effitas - Cons...harlan4096 — 07:29
Windows 11 Setup Now Lets You Skip the U...
Microsoft has intr...harlan4096 — 06:16
AntGROUP Inc. / VCap-developer
Ant Download Manager...jasonX — 04:55

[-]
Birthdays
Today's Birthdays
avatar (46)MeighGoask
Upcoming Birthdays
avatar (45)wapedDow
avatar (49)oapedDow
avatar (42)Sanchowogy
avatar (44)techlignub
avatar (43)Stevenmam
avatar (50)onlinbah
avatar (50)fuspeukChark
avatar (44)werriewWaiNg
avatar (38)Freemanleo
avatar (43)cdoubapKit
avatar (38)lystraPonia
avatar (31)smith8395john
avatar (51)steakelask
avatar (45)Termoplenka
avatar (43)bycoPaist
avatar (49)pieloKat
avatar (43)ilyagNeexy
avatar (51)donitascene
avatar (51)Toligo
avatar (38)RobertUtelt

[-]
Online Staff
There are no staff members currently online.

>