Cookie Thief – Android Malware stealing browser & Facebook app cookies

Two new Android malware launched to steal cookies from the browsers and Facebook app by gaining the root access on the victim’s Android device. This is an alarming concern as web services use cookies to store on the device a unique session ID that can identify the user without a password and login.

Hackers can obtain the session of the websites through the stolen cookies and access the victim’s account. This manipulation is possible not because of a vulnerability in Facebook app or browser but Malware could also steal cookie files of any website from other apps. Researchers believe that the Cookie thief malware can be linked with widespread Trojans such as SivuTriada, and Ztorg. During the analysis of Cookiethief, Kaspersky’s research uncovered another malicious app with a very similar coding style and the same C&C (command and control)server.

The second product from (presumably) the same developers (detected as: Trojan-Proxy.AndroidOS.Youzicheng) runs a proxy on the victim’s device. Malicious app is used to bypass the security system using a proxy server on the victim’s device to avoid the detection and request to the website looks like a request from a real account. The attacks are in initial stage and are being used to avoid suspicion from Facebook. 

While this is a new threat and aim of the cyber-criminals using cookie threat is hard to predict, Researchers believe a C2 server is used in this attack has advertising services, for distributing spam on social networks and messengers as a means to launch widespread spam and phishing attacks.