The new malware FFDroider targets saved login data in the browser, with which it hijacks social media accounts.
Enlarge
FFDroider targets cookies and login data.
© istockphoto.com/alexskopje
Zscaler security researchers have discovered new malware. The information thief was dubbed FFDroider and targets login information and cookies stored in the browser. The malware is distributed via software cracks for programs and games that victims download through torrents. When installing these cracks, FFDroider is also installed. In order to look unsuspicious, the malware disguises itself as a desktop app for the messenger Telegram.
Malware decrypts cookies and login data
When the malware starts, it creates a Windows registry key called “FFDroider”. The malware aims to steal cookies and login credentials stored in Chrome-based browsers, Google Chrome, Internet Explorer, Microsoft Edge, and Mozilla Firefox. To decrypt login data in SQLite and Chromium-SQLite, FFDroider uses the CryptUnProtectData function of the Windows Crypt API. In the other browsers, the malware abuses the InternetGetCookieRxW and IEGet ProtectedMode Cookie functions, among others.
Unlike other trojans that target login credentials, FFDroider is only interested in social media credentials and logins from e-commerce websites. These include Amazon, Facebook, Instagram, Ebay, Twitter or Etsy. The aim of the malware is to steal valid cookies that can be used for authentication on the platforms. The malware tests its validity during operation. If the test is successful, FFDroider retrieves all of the victim’s bookmarks, Facebook pages and number of friends, as well as payment and billing information from the Facebook Ads Manager.
Beware of downloads from unknown sources
In the case of Instagram, FFDroider taps, among other things, the telephone number, username, password and e-mail address of the user. Here, the malware tries to log into the relevant service directly in order to steal even more information. Once the information has been forwarded to the operators, FFDroider tries to download additional modules from its servers at fixed intervals. According to Zscaler, however, no details are known about these modules. To protect yourself from FFDroider, users should refrain from illegal downloads and unknown sources or, as a precautionary measure, have the downloads checked again by an antivirus solution before installation.
