Android smartphone and tablet owners have been warned about a worrisome new strain of malware found “in the wild” – which means that cyber crooks are already deploying it online. In a nutshell, the new digital infection steals users’ authentication cookies from web browsers and other apps, including the likes of Facebook. Sensitive information is then transferred from the compromised device to the hackers’ servers.
Cookies are small chunks of information designed to improve your browsing experience online – it’s what allows websites to remember who you are and serve-up personalised recommendations, remember your previous searches so you don’t have to, and more. Cookies are also used to target advertisements based on your browsing history.
It’s also cookies that allow your account to stay signed-in to a website or online service, so you don’t have to login every time you visit a site.
And it’s this particular behaviour that the new malware strain – aptly dubbed CookieThief by the Kaspersky researchers who uncovered it – aims to exploit to steal your personal information. According to the researchers, hackers are able to siphon-off cookie data to gain unauthorised access to your online accounts behind your back. To do this, the hackers won’t even need to know your password.
The crooks will be logged-in automatically just as you are whenever you navigate to one of your favourite sites on your home computer.
“A cybercriminal armed with a cookie can pass himself off as the unsuspecting victim and use the latter’s account for personal gain,” the researchers said. “This abuse technique is possible not because of a vulnerability in the Facebook app or browser itself. Malware could steal cookie files of any website from other apps in the same way and achieve similar results,” they added.
Kaspersky doesn’t know exactly how this malware spreads. However, the researchers have theorised that cyber crooks could install the malicious code on the smartphone or tablet before purchase. It could also be installed on your device by exploiting vulnerabilities in the Android operating system when downloading malicious applications.
This is why it’s so important to ensure you’re running the latest available version of Android since Google regularly patches these types of vulnerability in its updates.
Facebook already has a number of measures in place to block any suspicious login attempts – such as those from locations, devices, or brands of web browser that it does recognise. For example, if you’ve never logged into your Facebook account from Australia before, that is going to be flagged as suspicious by Facebook.
However, what makes CookieThief so clever – and therefore, so worrying – is that hackers have found a way to create a proxy server on the infected device to impersonate the location, web browser, and more so that the login attempt from the hackers looks legitimate.
“By combining these two attacks, cybercriminals can gain complete control over the victim’s account and not raise suspicion from Facebook,” the researchers noted. They have used the hugely-popular social network as an example, but other services can be accessed using the same technique.
Kaspersky says it has identified around 1,000 individuals who have been hit with the new malware. However, it warns that number is “growing” and there are a number of difficulties in detecting intrusions from CookieThief, so it’s possible the number is already much higher than reported.
If you’re worried about an attack like this, it’s worth blocking third-party cookies on your Android smartphone or tablet’s web browser. Clearing the cookies saved on your device on a regular basis can also help. Visiting websites in Incognito Mode is also a good way to avoid this type of attack, since this stops the browser from storing any cookies on your hardware.
Published at Tue, 17 Mar 2020 07:31:00 +0000