FFDroider is a new information-stealing malware that hijacks users’ social media accounts by collecting passwords and cookies saved in browsers. Hackers are attracted to social media accounts, particularly verified ones, since threat actors may exploit them for various nefarious activities, including cryptocurrency frauds and malware distribution.
When these accounts have access to the social site’s ad systems, threat actors can exploit the stolen credentials to run malicious ads. Zscaler researchers monitored the new info-spread stealers and provided a thorough technical analysis based on recent samples. FFDroider is propagated through software cracks, free software, games, and other things obtained through torrent sites, as with most malware.
While deploying these downloads, FFDroider will be installed alongside these files, but it will be disguised as the Telegram desktop application to avoid detection. The malware will produce a Windows registry entry entitled “FFDroider” after it is activated, which is how this new malware got its name.
The Zscaler researcher has created an attack flow chart that shows how the malware is placed on victims’ devices. FFDroid aims at account credentials and cookies stored in Mozilla Firefox, Google Chrome (and browsers based on Chrome), Microsoft Edge, and Internet Explorer. For instance, the malware reads and parses the Chromium SQLite cookie and SQLite Credential stores, then decrypts the contents using the Windows Crypt API’s CryptUnProtectData function.
The process is similar in other browsers, with capabilities such as InternetGetCookieRxW and IEGet ProtectedMode Cookie being exploited to grab all cookies saved in Explorer and Edge. The theft and decryption provide cleartext usernames and passwords, which are then sent to the C2 server using an HTTP POST request; in this case, http[:]//152[.]32[.]228[.]19/seemorebty.
The operators of FFDroid, unlike most password-stealing trojans, aren’t interested in all account details saved in web browsers. Instead, the malware creators are concentrating their efforts on obtaining credentials for social networking accounts and eCommerce sites such as Facebook, Twitter, Instagram, eBay, Etsy, Amazon, and the WAX Cloud wallet portal. The purpose is to steal legitimate cookies that can be used to authenticate on various platforms, and the malware checks this on the fly as part of the procedure.
For example, suppose the identification is successful on Facebook. In that case, FFDroider retrieves all Facebook sites and bookmarks, the number of the victim’s friends, and their account billing and payment information from the Facebook Ads manager. Threat actors may eventually be able to execute deceptive ad campaigns on social media platforms to spread their malware to a wider audience. FFDroider will access the account edit web page after successfully logging in to Instagram to obtain the account’s email address, mobile phone number, username, password, and other credentials.
This is an intriguing feature of the info-capabilities stealers because it attempts to steal credentials, log in to the platform, and steal even more data. FFDroid concentrates on downloading further modules from its servers at predetermined time intervals after stealing the information and transmitting everything to the C2.
The experts at Zscaler haven’t revealed much about these modules, but the addition of a downloader makes the threat considerably more dangerous. People should avoid unauthorized downloads and unknown software sources to avoid this form of infection. Downloads can be submitted to VirusTotal as an extra precaution to see if antivirus software detects them as malware.