We recently discovered a new strain of Android malware. The Trojan (detected as: Trojan-Spy.AndroidOS.Cookiethief) turned out to be quite simple. Its main task was to acquire root rights on the victim device, and transfer cookies used by the browser and Facebook app to the cybercriminals’ server. The exact means by which the Trojan was able to infect certain Android devices is not clear; however, it was not due to a vulnerability in the Facebook application or browser itself.
How can stealing cookies be dangerous? Besides various settings, web services use them to store on the device a unique session ID that can identify the user without a password and login. This way, a cybercriminal armed with a cookie can pass himself off as the unsuspecting victim and use the latter’s account for personal gain.
Package name of the Cookiethief malware — com.lob.roblox, which is similar to that of the Roblox Android gaming client (com.roblox.client), but has nothing in common with Roblox.
Malicious features of Trojan-Spy.AndroidOS.Cookiethief
To execute superuser commands, the malware connects to a backdoor installed on the same smartphone…
…and passes it a shell command for execution.
The backdoor Bood, located at the path /system/bin/.bood, ..
Support the originator by clicking the read the rest link below.
