IS experts discovered two new malware for Android (recognized as the most vulnerable OS over the past year), called Cookiethief and Youzicheng. They are can steal cookies stored in browsers on smartphones and in applications of popular social networks, in particular Facebook.
How can cookie theft be dangerous? Web services with their help “store” on the user’s device not only various settings, but also a unique session identifier that allows recognizing the user without a password and login. Thus, having received a cookie, an attacker may introduce himself as an unsuspecting user and use his account for his own purposes.
Attackers developed two malware with a similar coding style and using the same C&C server. Once installed on the device, the Cookiethief Trojan receives superuser rights and transfers the cookie files of the browser and the installed social network application to the C&C server.
“The Trojan detected by us as Trojan-Spy.AndroidOS.Cookiethief turned out to be quite simple. Its main task is to obtain root rights on the device and transfer the cookies of the browser and the Facebook application to the attacker server. To do this, the malware does not need a vulnerability in the browser or Facebook application, if necessary, it could steal the cookie of any site from other applications in the same way and with approximately the same result”, – experts write.
However, just the session identifier is not enough to seize control over someone else’s account. For example, the security systems of some websites prevent suspicious login attempts on the system. For such cases, the criminals created a second malware – Youzicheng. It is able to launch a proxy server on the phone and provide attackers with Internet access from the victim’s device to bypass security measures.
According to experts, malware does not exploit vulnerabilities in a mobile browser or social network application, and attackers can steal cookies from any site.
“By combining the two types of attacks, attackers found a way to gain control over user accounts without causing suspect. This is a relatively new threat, as long as no more than a thousand people have been exposed to it. This number is growing and, most likely, will continue to grow, given that it is difficult for web sites to detect such attacks”, – explained the experts.
According to an expert report, Cookiethief can be associated with common Trojans such as Sivu, Triada and Ztorg using the addresses of control servers and encryption keys used. This malware is often either downloaded to the device’s “firmware” itself before the user purchases it, or it gets into system folders through OS vulnerabilities, and then it can download arbitrary applications into system sections.
As a result, the user may have such an “undeletable” backdoor as Bood, along with its auxiliary applications Cookiethief and Youzicheng.
I am not trying to intimidate you, but it is worth reminding that 40% of devices using older versions of Android have not received security updates recently.