Android’s Newest Threat Warning: Your Facebook App Can Now Be Hacked—Here’s How It Works

0 8
Avatar for John_Cena
4 years ago

A worrying new security report claims that devious hackers have developed a new exploit to target the Facebook accounts of Android users. To be more accurate it is two separate exploits that work in tandem towards a common goal. We increasingly see multiple malware used in parallel, each with a specific objective, but this crafted approach with two exploits from the same hacking team is an interesting twist.

[bad iframe src]

According to Kaspersky, the goal of the attack is to gain unauthorized access to Facebook accounts—and it all starts with hackers targeting an Android phone to capture Facebook cookies from the device’s browser and the app itself. This is done by acquiring root access and establishing a comms link out to a C&C server.

Facebook is one of many apps that will have dropped cookies—identifying code—onto the device, such that the user is recognized next time they login. This is why you can “stay logged in” to apps, because they can trust it’s you. Cookies make the world wide web go round, but they can also be the nasty little tracking tokens that follow us across the internet—multiple sites, multiple platforms.

[bad iframe src]

This, though, is a new cookie problem. That said, stealing a Facebook cookie doesn’t let you back into Facebook from a different device without credentials. The platform detects you’re coming from an unknown location and blocks you, asking you to sign-in, potentially locking the account. And that’s where the second part to this malicious attack kicks in.

This attack is designed to defeat the very way that the “stay logged in” security works. It does so by hijacking the Android device to use as a proxy server through which the attackers can access Facebook. So, while the attackers are sitting someplace else, Facebook sees the account access as coming from the expected device. The login works. All without the user having any indication of a compromise.

[bad iframe src]

“By combining these two attacks,” Kaspersky’s Anton Kivva and Igor Golovin say in a March 12 blogpost, “cybercriminals can gain complete control over the victim’s account and not raise a suspicion from Facebook.” This devious marriage of Trojan-Spy.AndroidOS.Cookiethief and Trojan-Proxy.AndroidOS.Youzicheng has only just started to hit its first thousand target accounts. “But the figure is growing.”

Kaspersky says in its report that “this abuse technique is possible not because of a vulnerability in Facebook app or browser itself—malware could steal cookie files of any website from other apps in the same way and achieve similar results.”

This was echoed by Facebook, with a spokesperson telling me “Kaspersky’s report identifies how an attacker using malware can compromise someone’s device, not a vulnerability in Facebook’s code. We recommend that people use the latest version of Android or iOS to help protect against this kind of attack.”

Account hijacking is an increasing problem, as attackers look to spread malware and malicious phishing links through victims to their contacts—this is basic social engineering. If I receive a Facebook message from a friend, I am far more likely to click the link or open the attachment than if it’s from someone unknown.

[bad iframe src]

“On the C&C server,” Kaspersky says, “we also found a page advertising services for distributing spam on social networks and messengers, so it was not difficult to guess the motive behind the cookie-theft operation.”

I have reported before on more laborious hacks on messaging platforms to achieve the same goal, this is simply an automated approach. There are certain precautions users can take to defend against this attack—not staying logged in for example, deleting cookies or blocking their access. But realistically, this is a vulnerability that needs to be detected and blocked in the exploit phase. One can expect Google and Facebook to be looking into a more permanent solution now.

Sponsors of John_Cena
empty
empty
empty

1
$ 0.00
Sponsors of John_Cena
empty
empty
empty
Avatar for John_Cena
4 years ago

Comments