Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Cookie-stealing Android trojan likely used for spam distribution campaign

Who stole the cookie from the cookie jar? It's Cookiethief, a newly discovered Android trojan that gains root access to devices and exfiltrates browser and Facebook app cookies to a malicious server.

Attackers typically use stolen cookies to impersonate victims and access their online accounts in unauthorized fashion. In this instance, researchers believe the culprits are using the cookies for a spam scheme, based on an investigation of the attackers' command-and-control server, which turned up a page that advertises services for distributing spam on social networks and messenger apps.

The campaign appears to be in its early stages, with fewer than 1,000 known victims, according to a Thursday blog post from Kaspersky, whose research team discovered the threat.

"To execute superuser commands, the malware connects to a backdoor installed on the same smartphone and passes it a shell command for execution," states the report, authored by Kaspersky researchers Anton Kivva and Igor Golovin. "The backdoor Bood, located at the path /system/bin/.bood, launches the local server and executes commands received from Cookiethief."

The researchers also uncovered a second malicious app, Youzicheng, which the attackers are apparently using to run a proxy on victims' devices in order to circumvent the security mechanisms of social networks or messenger services that might otherwise flag spam activity.

"By combining these two attacks, cybercriminals can gain complete control over the victim’s account and not raise a suspicion from Facebook," the blog post states.

It is currently unknown precisely how victims are infected, but Kaspersky notes that this kind of malware often times is secretly installed in a device's firmware prior to purchase, or it sneaks into system folders via operation system vulnerabilities. A browser or Facebook bug is not, however, to blame.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.