Who stole the cookie from the cookie jar? It’s Cookiethief, a newly discovered Android trojan that gains root access to devices and exfiltrates browser and Facebook app cookies to a malicious server.
Attackers typically use stolen cookies to impersonate victims and access their online accounts in unauthorized fashion. In this instance, researchers believe the culprits are using the cookies for a spam scheme, based on an investigation of the attackers’ command-and-control server, which turned up a page that advertises services for distributing spam on social networks and messenger apps.
The campaign appears to be in its early stages, with fewer than 1,000 known victims, according to a Thursday blog post from Kaspersky, whose research team discovered the threat.
“To execute superuser commands, the malware connects to a backdoor installed on the same smartphone and passes it a shell command for execution,” states the report, authored by Kaspersky researchers Anton Kivva and Igor Golovin. “The backdoor Bood, located at the path /system/bin/.bood, launches the local server and executes commands received from Cookiethief.”
The researchers also uncovered a second malicious app, Youzicheng, which the attackers are apparently using to run a proxy on victims’ devices in order to circumvent the security mechanisms of social networks or messenger services that might otherwise flag spam activity.
“By combining these two attacks, cybercriminals can gain complete control over the victim’s account and not raise a suspicion from Facebook,” the blog post states.
It is currently unknown precisely how victims are infected, but Kaspersky notes that this kind of malware often times is secretly installed in a device’s firmware prior to purchase, or it sneaks into system folders via operation system vulnerabilities. A browser or Facebook bug is not, however, to blame.