Security Affairs
JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Cookiethief, the Android malware that hijacks Facebook accounts

Experts discovered an Android Trojan, dubbed Cookiethief, that is able to gain root access on infected devices and hijack Facebook accounts. Security experts from Kaspersky recently discovered Android Trojan that was designed to gain root access on infected devices and hijack Facebook accounts by stealing cookies from the browser and the social media app. “We […]

Cookiethief

Experts discovered an Android Trojan, dubbed Cookiethief, that is able to gain root access on infected devices and hijack Facebook accounts.

Security experts from Kaspersky recently discovered Android Trojan that was designed to gain root access on infected devices and hijack Facebook accounts by stealing cookies from the browser and the social media app.

“We recently discovered a new strain of Android malware. The Trojan (detected as: Trojan-Spy.AndroidOS.Cookiethief) turned out to be quite simple. Its main task was to acquire root rights on the victim device, and transfer cookies used by the browser and Facebook app to the cybercriminals’ server.” reads the analysis published by Kaspersky. “Malware could steal cookie files of any website from other apps in the same way and achieve similar results.”

The package name of the Cookiethief Trojan (com.lob.roblox) is similar to the one of the Roblox Android gaming client (com.roblox.client), but the two software have not common.

The malware doesn’t exploit any flaw in the Facebook app or the browser, the researchers explained that the malicious code achieves root privileges by connecting with another backdoor installed on the smartphone, then passes it a shell command for execution.

The backdoor, tracked as Bood, is located at the path /system/bin/.bood, it launches a local server and executes the command that the passed by the Cookiethief malware.

The analysis of the command and control (C&C) server revealed the presence of a page that advertises services for sending spam on social networks and messengers, a circumstance that suggests the motivation between the development of this malware.

“How can stealing cookies be dangerous? Besides various settings, web services use them to store on the device a unique session ID that can identify the user without a password and login.” continues Kaspersky. “This way, a cybercriminal armed with a cookie can pass himself off as the unsuspecting victim and use the latter’s account for personal gain.”

While analyzing Cookiethief, researchers also identified another malicious application, tracked as Trojan-Proxy.AndroidOS.Youzicheng, that connects the same C2 and that shows similar coding. This malicious app allows to run a proxy on the victim’s device, according to the experts is was designed to bypass Facebook protections.

“By combining these two attacks, cybercriminals can gain complete control over the victim’s account and not raise a suspicion from Facebook. These threats are only just starting to spread, and the number of victims, according to our data, does not exceed 1000, but the figure is growing,” continues the report.

The researchers believe that Cookiethief can be linked with other common Trojans, including Sivu, Triada, and Ztorg, some of them were discovered pre-installed on models of low-cost Android smartphones.

“As a result, a persistent backdoor like Bood, along with the auxiliary programs Cookiethief and Youzicheng, can end up on the device,” Kaspersky concludes.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – malware, Android)

[adrotate banner=”5″]

[adrotate banner=”13″]