Threat actors have been leveraging the novel FFDroider information stealer to exfiltrate browser-stored credentials and cookies and proceed in compromising targets' social media accounts
, according to BleepingComputer.
Distributed through cracked software and games, FFDroider will be installed as a Telegram desktop app before triggering the creation of a Windows registry key, a Zscaler report revealed.
In targeting account credentials and cookies stored in various browsers, the malware first conducts Chromium SQLite cookie and SQLite Credential store reading and parsing prior to exploiting Windows Crypt API to allow entry decryption.
While other password-stealing trojans have focused on browser-stored credentials alone, FFDroider has set its sights on credentials for Facebook
, Twitter, Instagram, and Etsy, as well as eCommerce sites, such as Amazon, eBay, and the WAX Cloud wallet portal.
Researchers found that successful authentication on Facebook will prompt FFDroider retrieval of all Facebook pages and bookmarks, as well as their payment data, account billing, and the number of victims' friends.
Meanwhile, an attack on Instagram would prompt the malware to exfiltrate victims' email addresses, mobile numbers, credentials, and other information.