Researchers at Kaspersky have raised the alarm after uncovering two new Android malware modifications that can steal browser and application cookies and enable cyber criminals to take control of their victims’ social media accounts.
The ruse works by exploiting the unique session ID cookies that websites use to identify users in future without requiring them to log in using their passwords.
If the website can be fooled into thinking the attacker is the victim – easily done if they are in possession of a user’s ID – it becomes a very simple matter to take over the target account and use it for malicious purposes.
In this case, this is exactly what has happened, using two trojans with similar coding that are controlled by the same C&C server.
The first trojan, dubbed Cookiethief, acquires root rights on the target device, enabling the attackers to transfer cookies to their own servers.
The second trojan, dubbed Youzicheng, runs a proxy server on the target device to fool security measures that block suspicious login attempts – for example, logging in from two geographically distant locations a few minutes apart – and gain access without alerting the victim or website.
“By combining two attacks, the cookie thieves have discovered a way to gain control over their victims’ account without arousing suspicion,” said Kaspersky malware analyst Igor Golovin. “While this is a relatively new threat – so far only about 1,000 individuals have been targeted – that number is growing and will most likely continue to do so, particularly because it is so hard for websites to detect.
“Even though we typically don’t pay attention to cookies when we’re surfing the web, they are still another means of processing our personal information, and anytime data about us is collected online, we need to pay attention.”
Kaspersky said that the ultimate aim of the group behind the trojans was not yet known, but a page its researchers found on the same C&C server offers an obvious clue – it advertises services for distributing spam on social networks, which suggests the plan is to launch more widespread spam and phishing campaigns.
Kaspersky has linked Cookiethief and Youzicheng with a number of other widespread trojans, including Sivu, Triada and Ztorg, because of similarities in C&C server addresses and encryption keys. The firm said that in most cases, such malware is either planted on the target device prior to purchase by malicious insiders or gets into system folders through backdoor vulnerabilities in the Android operating system.
Besides activating their devices’ on-board security features or augmenting them with third-party security services, users are best advised to block third-party cookie access on Android web browsers and only allow their data to be saved until they quit the browser. Periodically clearing cookies can also mitigate the danger to some degree.
More technical information, as well as indicators of compromise (IoCs), can be found on Kaspersky’s Securelist blog.
