Posted on March 13, 2020 at 6:09 PM
A malware is reportedly targeting Facebook cookies, as the Trojan keeps growing in popularity.
Kaspersky researchers who discovered the malware called it Cookiethief. The malware operates by acquiring “root” system control on the targeted devices and looks for Facebook session cookies.
Afterward, it sends the cookies to a remote server, which gives the operators access to command and control the affected devices.
Although it’s not yet clear how the Trojan was able to infiltrate the android devices, Kaspersky researchers, Igor Golovin and Anton Kivva pointed out in a blog post yesterday that it was due to susceptibility either in the browser or in the Facebook application.
Protection from Cookiethief
The security researchers have advised users on how to protect themselves from the Cookiethief Trojan. According to them, android users need to block third party cookies from having access to their Android browsers.
They also advised users to periodically clear their cookies through the settings section from their browser’s menu. Clearing the cookies will automatically delete any third-party cookies they have missed or that escaped detection. After clearing the cookies, they should install and use a good Android antivirus app.
Also, they can occasionally log out and log into their Facebook account via the Facebook app to reset the cookie. According to the researchers, these are some of the processes users can take to protect themselves from the Cookiethief android malware.
These attackers can disguise their activities and make website believe they are legitimate account holders, which can lead to data theft, account compromise, and possibly hijacking.
How the Cookiethief Trojan operates
Sessions cookies usually keep you logged in to Facebook or other online platforms for several weeks with no need for you to log back in.
Cookies are generally not considered harmful to systems. Some of them are even useful because they help you stay logged in for several months.
However, when websites store and use them to get unique session IDs to keep users logged in, losing them could be a security risk.
A cybercriminal can get hold of your account details without any knowledge of your password. But gaining access to the Facebook account requires more than stealing cookies since the Facebook account could be blocked when there is any suspicious activity.
Even though Facebook has geographical protection against the misuse of session keys, Cookiethief still finds a way around it.
Facebook usually verifies whether the person using the account is actually from the right geographical location. But what Cookiethief does is to install another malware piece that will establish a proxy server on the android device. This usually circumvents the layer of geographical access security from Facebook.
By spoofing the geographical location of the account owner, the attackers could be anywhere in the world to carry out their attack. But the Facebook security protocol would think the device is being operated right from the home of the device owner.
Kaspersky researchers stated that “By combining these two attacks, cybercriminals can gain complete control over the victim’s account and not raise suspicion from Facebook.”
During the time of infection, the Bood backdoor is installed, connecting to a command-and-control server and execute the Cookietheft commands.
The threat is new, but hacking activities are expanding
Furthermore, they pointed out that the threat is a new one, and there are only about 1,000 victims. However, the activities of these attackers are growing and several victims could exceed the present number soon.
Cookiethief has even attempted to disguise as a genuine online game Roblox for kids, with a face app known as com.lob.roblox, an imitation of the original Android Roblox app. However, Kaspersky researchers said they were not able to find that fake app on common Android app stores.
The researchers have not confirmed what Cookiethief wants to do with the hacked Facebook accounts. However, Golovin and Kivva revealed that they saw a page that advertises services for distributing spam on messengers and social networks.
Kaspersky researchers said Cookiethief may have links with other Trojans, including Ztorg, Triada, as well as Sivu. These Trojans are usually deployed through operating system vulnerabilities or rooted in firmware.