FFDroider has been hoovering up credentials and cookies that are normally stored in web browsers to hijack the social media accounts of targeted users, Cyware Threat Intelligence wrote in a new report.
FFDroider: a Novel Multi-purpose Malware
The FFDroider info-stealer has the ability to spread via games, software cracks, free software, and files that are downloaded via low-quality torrent sites. Downloading such files can lead to an FFDroider infection, disguised as the Telegram desktop app, Cyware said. FFDroider is fine-tuned to hoover up browser cookies and account credentials, normally kept in all web browsers that do not run incognito mode. The stealer scans for multiple browsers, such as Google Chrome, Internet Explorer, Microsoft Edge, and Mozilla Firefox.
Technical Analysis of FFDroider Campaign
Once a user has unknowingly infected themselves with FFDroider by downloading and installing the risky files, the malware will activate and create a Windows Registry key (FFDroider), allowing it to bypass Windows security. Following this, the malware will compare pre-defined browser lists to those on the target system, after which cookies and credentials of specific social media platforms will be collected. Subsequently, it will attempt to access social media with the relayed cookies and credentials and send the stolen data to a cybercriminal CnC (command and control) server. For instance, FFDroider “reads and parses [SQL query] the Chromium SQLite Credential Store” from: “C:\Users\Appdata\Local\Chrome\User Data\Default\Login Data.” This folder contains saved user credentials.
What is a Stealer?
A stealer is a compact malicious data collecting program that can disguise itself on a victim’s machine to look like other applications, also bypassing Windows security (such as the Windows Firewall) by installing itself in the Windows Registry. It can also replicate itself multiple times. “Over the years, Stealers became one of the most commonly used malware in any cyberattack campaign,” Zscaler noted. To avoid scenarios like this, which are triggered in part by stored browser cookies, it would be a good idea to start using a privacy-conscious web browser that can fully clear risky cookies and reduce your digital footprint. However, it is much better to avoid illegal downloads and unknown software sources in the first place. Find more in-depth information about stealer malware like the FFDroider in our detailed article about the BloodyStealer malware. To protect yourself from dangerous malware stealers as well as encrypt your internet connection, read our full guide on the best antivirus software with built-in VPN.