Cookiethief: a cookie-stealing Trojan for Android

abstract digital blue 990x400 1

We recently discovered a new strain of Android malware. The Trojan (detected as: Trojan-Spy.AndroidOS.Cookiethief) turned out to be quite simple. Its main task was to acquire root rights on the victim device, and transfer cookies used by the browser and Facebook app to the cybercriminals’ server. This abuse technique is possible not because of a vulnerability in Facebook app or browser itself. Malware could steal cookie files of any website from other apps in the same way and achieve similar results.

How can stealing cookies be dangerous? Besides various settings, web services use them to store on the device a unique session ID that can identify the user without a password and login. This way, a cybercriminal armed with a cookie can pass himself off as the unsuspecting victim and use the latter’s account for personal gain.

Package name of the Cookiethief malware — com.lob.roblox, which is similar to that of the Roblox Android gaming client (com.roblox.client), but has nothing in common with Roblox.

sl cookiethief 01 sl cookiethief 02 sl cookiethief 03

Malicious features of Trojan-Spy.AndroidOS.Cookiethief

To execute superuser commands, the malware connects to a backdoor installed on the same smartphone…

sl cookiethief 04

…and passes it a shell command for execution.

sl cookiethief 05

The backdoor Bood, located at the path /system/bin/.bood, launches the local server…

sl cookiethief 06

…and executes commands received from Cookiethief.

sl cookiethief 07

On the C&C server we also found a page advertising services for distributing spam on social networks and messengers, so it was not difficult to guess the motive behind the cookie-theft operation.

But there’s still a hurdle for the spammers that prevents them from gaining instant access to accounts just like that. For example, if Facebook detects an atypical user activity, the account may be blocked.

However, during our analysis of Cookiethief, we uncovered another malicious app with a very similar coding style and the same C&C server. The second “product” from (presumably) the same developers (detected as: Trojan-Proxy.AndroidOS.Youzicheng) runs a proxy on the victim’s device.

We believe that Youzicheng is tasked with bypassing the security systems of the relevant messenger or social network using a proxy server on the victim’s device. As a result, cybercriminals’ request to the website will look like a request from a legitimate account and not arouse suspicion.

To implement this method, an executable file is first downloaded.

sl cookiethief 08

Then the proxy configuration is requested.

sl cookiethief 09

The downloaded file is then run.

sl cookiethief 10

By combining these two attacks, cybercriminals can gain complete control over the victim’s account and not raise a suspicion from Facebook. These threats are only just starting to spread, and the number of victims, according to our data, does not exceed 1000, but the figure is growing.

Through the C&C server addresses and encryption keys used, Cookiethief can be linked with such widespread Trojans as Sivu, Triada, and Ztorg. Usually, such malware is either planted in the device firmware before purchase, or it gets into system folders through vulnerabilities in the operating system and then can download various applications into the system. As a result, a persistent backdoor like Bood, along with the auxiliary programs Cookiethief and Youzicheng, can end up on the device.

We detect com.lob.roblox as HEUR:Trojan-Spy.AndroidOS.Cookiethief, org.rabbit as HEUR:Trojan-Proxy.AndroidOS.Youzicheng, and Bood as HEUR:Backdoor.AndroidOS.Bood.a.

IOCs

Package name MD5 C&C
com.lob.roblox 65a92baefd41eb8c1a9df6c266992730

f84a43b008a25ba2ba1060b33daf14a5

c9c252362fd759742ea9766a769dbabe

api-resource.youzicheng[.]net
org.rabbit c907d74ace51cec7cb53b0c8720063e1 api-rssocks.youzicheng[.]net
Bood 8312e7c626cac368f0bd79c9c8da5bd7 http://guard.yoboxtool[.]com:8099

http://zh.yomobi[.]net:8080

 

Original Source