Once installed, the malware seeks administrative privileges and looks to steal a user's Facebook credentials by prompting them to “verify” their accounts when the user attempts to access the social media app, according to a Jan. 18, blog post.
The malware also uses anti-sandboxing defenses and will only retrieve payload, disguised as “Google Play Services,” if it detects it's not in an emulator or virtual environment.
“The use of video downloaders as social engineering hooks — enticing users with features that allow them to download videos for offline viewing — concurs with our detections for GhostTeam. India, Indonesia, Brazil, Vietnam, and the Philippines, reported to have the most Facebook users, are also the most affected by GhostTeam,” researchers said in the post.
Researchers warn the stolen credentials can be repurposed to deliver more damaging malware to amass a zombie social media army that can proliferate fake news or cryptocurrency mining malware. The credentials can also be used to obtain financial and personally identifiable information that can be sold on the dark web.