March 16, 2020 By David Bisson 2 min read

Researchers spotted a new cookie-stealing Trojan called “Cookiethief” that is targeting users’ social media accounts and browsers.

Kaspersky Lab observed that the primary aim of the malware, which they detected as Trojan-Spy.AndroidOS.Cookiethief, was to gain root privileges on a victim’s Android device. The cookie-stealing malware then leveraged that level of access to transfer cookies employed by the user’s browser and Facebook account to a command-and-control (C&C) server under the attacker’s control. It did so not by exploiting a vulnerability in either Facebook or the browser. Instead, it connected with a backdoor installed on the same device and used it to execute commands.

To avoid raising red flags with Facebook, Cookiethief employed Trojan-Proxy.AndroidOS.Youzicheng to run a proxy on the victim’s device. This step helped the malware bypass security solutions on the social network by disguising the attacker’s request as one from a legitimate user account.

Social Media Cookie Stealers Aplenty

Cookiethief is not the first malware to target social media users’ cookies. Back in April 2018, for instance, Radware detected an attack campaign that relied on a malware family called “Stresspaint” to infect 40,000 users and steal tens of thousands of Facebook user credentials/cookies within a matter of days. In December 2019, Naked Security reported on a threat called “AdKoob” that dug into a victim’s browser database of cookies for the purpose of looking up their ad spending on Facebook.

Defend Against Cookie-Stealing Trojans

Stealing a user’s cookies is no joke. Web services like Facebook leverage cookies to store a unique session ID on a victim’s device. That session ID can permit the user to regain access to their account without providing their login credentials. This means that, in the wrong hands, cookies can enable digital attackers to assume the identities of legitimate users and effectively bypass identity and access management (IAM) features such as multifactor authentication (MFA).

Threat actors can then leverage that disguise to conduct secondary attacks. In the case of Cookiethief, the attackers could have used a module to distribute spam on social networks and messengers, activity that could have hurt the victim’s reputation.

Acknowledging this activity, security professionals can help protect their organizations against a cookie-stealing Trojan like Cookiethief by using the latest threat intelligence to stay vigilant and aware of the malware threats targeting their users. Companies should also augment the strength of their IAM program by investing in a modern system that extends across an organization’s entire IT infrastructure, including the cloud.

More from

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today