A new simple but dangerous strain of Android malware has been found in the wild that steals users’ authentication cookies from the web browsing and other apps, including Chrome and Facebook, installed on the compromised devices.
Dubbed “Cookiethief” by Kaspersky researchers, the Trojan works by acquiring superuser root rights on the target device, and subsequently, transfer stolen cookies to a remote command-and-control (C2) server operated by attackers.
“This abuse technique is possible not because of a vulnerability in the Facebook app or browser itself,” Kaspersky researchers said. “Malware could steal cookie files of any website from other apps in the same way and achieve similar results.”
Cookiethief: Hijacking Accounts Without Requiring Passwords
Cookies are small pieces of information that’s often used by websites to differentiate one user from another, offer continuity around the web, track browsing sessions across different websites, serve personalized content, and strings related to targeted advertisements.
Given how cookies on a device allow users to stay logged in to a service without having to repeatedly sign in, Cookiethief aims to exploit this very behavior to let attackers gain unauthorized access to the victim accounts without knowing their actual online accounts passwords.
“This way, a cybercriminal armed with a cookie can pass himself off as the unsuspecting victim and use the latter’s account for personal gain,” the researchers said.
Kaspersky theorizes that there could be a number of ways the Trojan could land up on the device — including planting such malware in the device firmware before purchase, or by exploiting vulnerabilities in the operating system to download malicious applications.
images from Hacker News