A new strain of android malware is attempting to hijack Facebook user accounts.
Named Cookiethief by the Kaspersky researchers who discovered it, the malware obtains "root" (full system control) on the infected device. It then finds Facebook session cookies and sends them to a remote server for the malware operator to command and control the device.
"The exact means by which this Trojan was able to infect specific Android devices is unclear," Anton Kivva and Igor Golovin of Kaspersky said in a blog post today (March 12).
"However, it was not due to a vulnerability in the Facebook application or in the browser itself.
To protect yourself from Cookiethief and similar attacks, you need to block third-party cookies in various Android browsers.
In Chrome, click the three vertical menu buttons in the upper right corner of the screen, tap Settings, scroll down to the Advanced section, tap Site Settings, tap Cookies, and check "Block third-party cookies."
In Firefox, select Menu > Settings > Privacy > Cookies and select "Exclude third parties, enable."
In Opera, tap the O icon in the lower right corner, tap Settings, scroll down to the Privacy section, tap Cookies, and select "Exclude third parties, enable."
Kaspersky researchers also recommend clearing cookies regularly, which can be done from various browser settings menus, and installing and using one of the best Android antivirus apps.
You can also periodically log out of your Facebook account with the Facebook app and log back in.
Session cookies allow you to stay logged in to Facebook and many other online services for months without having to log back in after restarting your computer or mobile device. Attackers can use session cookies to hijack accounts without knowing the password.
Facebook has geographic safeguards against the misuse of session cookies. For example, it makes sure that the person using the cookie is accessing your account from, say, Indiana, not Indonesia.
However, Cookiestealer circumvents that by installing a second malware that creates a proxy server on the Android device. This proxy server disguises the geographic location of the account holder, making it appear that the attacker, who could be anywhere in the world, is accessing Facebook from the real user's home region.
"By combining these two attacks, cybercriminals can gain complete control over the victim's account and never arouse suspicion from Facebook," wrote the Kaspersky researchers.
"These threats are just beginning to spread, and according to our data, the number of victims has not yet exceeded 1,000. [Its Android package name is com.lob.roblox and the actual Android Roblox app is com.roblox.client. This fake app could not be found in the most popular Android app stores.It is not yet known what Cookiethief does with the hijacked Facebook accounts, but Kivva and Golovin have been using Cookiethief's command and control server to "deliver spam on social networks and messenger service's advertising pages," they said. Hijacking dozens or hundreds of Facebook accounts would be an effective way to spread spam.
Comments