1. Home > Virus prevention >

A very dangerous Android cookie stealing Trojan​-Cookiethief

Researchers recently discovered an Android malware, which is a password and very simple. The main task is to obtain root permissions on the victim's device and send cookies used by the browser and Facebook app back to a server controlled by the attacker. The method used by the Trojan to infect specific Android devices is unclear, but it is clear that it is definitely not a vulnerability in Facebook or the browser.
Cookie theft is very dangerous. Web services use cookies to store a unique session ID on the device that can identify the user without the user's password or login. If the attacker has a cookie, he can bypass the password and use the cookie to log in.
The package of the cookie-stealing malware discovered by the researchers is named com.lob.roblox, which is very similar to Roblox Android game client (com.roblox.client), but has no crossover with Roblox.


Malicious features of Trojan horse (Spy.AndroidOS.Cookiethief)
in order to perform super The user commands the malware to connect to a backdoor installed on the device.

and pass the shell command for execution.

The backdoor located in the /system/bin/.bood path will start the local server.

and execute the command from Cookiethief.

On the C2 server, the researchers found a page advertisement service that distributes spam in social networks and messaging applications, so it's easy to guess Motivation for cookie theft. But if the spammer is also blocked. For example, if Facebook detects a typical user activity, the account may be blocked.
In the course of Cookiethief's analysis, the researchers discovered another malicious app with a similar code style and using the same C2 server. The second product from the same developer runs an agent on the victim's device.
Researchers believe that Youzicheng is responsible for bypassing the security system of related messages and social networks using the proxy server on the victim's device. The result is that the attacker's request to the website appears to come from a legitimate account, and it will not raise suspicion.
To implement this method, you must first download an executable file.

Then request proxy configuration.

Run the downloaded file last.

By combining these two attacks, the attacker can achieve complete control of the victim’s account without causing Facebook’s suspicion. These threats are not just beginning to spread. The number of victims currently does not exceed 1,000, but this number is still growing.
By using the C2 server address and encryption key, Cookiethief can be associated with Trojan horses such as Sivu, Triada, and Ztorg. Generally speaking, such malicious software is either implanted in the device firmware before it is sold, or it enters the system folder through a loophole in the operating system, and then downloads different applications to the system.
In the end, there will be Trojan horses like Bood and auxiliary programs like Cookiethief and Youzicheng in the system.

This article is published by www.internetweblist.com and does not represent the position of www.internetweblist.com/:http://www.internetweblist.com/Virus prevention/20292.html

Contact Us

Online consultation:click here to give a message