Facebook cookie-stealing trojans surface on Android devices

Browser cookies try to save you time and effort by collecting certain information for the websites you frequent. By storing an associated browser session ID, for example, cookies spare you from having to enter your login credentials each time you open the same site. But that same convenience is being exploited by a pair of Android-targeted trojans discovered by Kaspersky.

SEE: Top Android security tips (free PDF) (TechRepublic) 

Released on Thursday, the Kaspersky report “Cookiethief: a cookie-stealing Trojan for Android” describes a new strain of malware dubbed Trojan-Spy.AndroidOS.Cookiethief. This trojan captures root rights on an Android device, thus allowing it to steal cookies from the browser and from Facebook and transfer them to the server of the cybercriminals behind it. By using the stolen cookies, someone can then impersonate a user on the web to access that person’s account.

The current version of this trojan is specific to Android and is stealing cookies from Chrome and Android’s default browser. Though the trojan is targeting cookies from Facebook, the theft is not the result of any flaw in the Facebook app or in the Android browser. Such a trojan is capable of stealing cookies for any social media site or other website, according to Kaspersky.

Just using a session ID from the stolen cookies may not be sufficient to take over an account. In many cases, websites such as Facebook have security measures in place to guard against suspicious login attempts. But here’s where the people behind this malicious activity show some cunning. A second trojan turns up to run a proxy server on the targeted Android device, which then is able to bypass any login security put in place by the affected site.

The true goal of the cookie thieves is unknown, according to Kaspersky. But a page found on their Command & Control server advertises services for distributing spam on social networks and messengers. That means the cybercriminals may be aiming to compromise social media accounts to launch spam and phishing attacks.

“By combining two attacks, the cookie thieves discovered a way to gain control over their victims’ accounts without arousing suspicions,” Kaspersky malware analyst Igor Golovin said in a press release. “While this is a relatively new threat–so far, only about 1,000 individuals have been targeted–that number is growing and will most likely continue to do so, particularly since it’s so hard for websites to detect. Even though we typically don’t pay attention to cookies when we’re surfing the web, they’re still another means of processing our personal information, and anytime data about us is collected online, we need to pay attention.”

To protect yourself against this type of malware, Kaspersky offers the following recommendations:

• Block third-party cookie access on your phone’s web browser, and only let your data be saved until you quit the browser.
• Periodically clear your cookies.
• Use a reliable security product for Android that includes a Private Browsing feature, which prevents websites from collecting information about your activity online.

Golovin and fellow Kaspersky security expert Anton Kivva shared two additional tips: 1) Only download applications from trusted sources, like official marketplaces. 2) Using Private Browsing mode in your browser could reduce the possibility of the cookies being stolen. But how effective Private Browsing is at protecting your cookies depends on how the feature is implemented in the browser you use.

Also see