FFDroider, a new kind of information stealer has emerged, it steals cookies and credentials from browsers and hacks the target's social media accounts. FFDroider, like any other malware, spreads through software cracks, free software games/apps, and other downloaded files from torrent sites. While installing these downloads, FFDroider will also be initialized, but as a Telegram desktop app disguise to avoid identification. After it's launched, the malware creates "FFDroider" named windows registry key, which eventually led to the naming of this malware.
FFDroider targets account credentials and cookies stored in browsers like Chrome, Mozilla Firefox, Microsoft edge, and internet explorer. For instance, the malware scans and parses SQLite Credential stores, Chromium SQLite cookies, and decrypts these entries by exploiting Windows Crypt API, particularly, the CryptUnProtectData function. The process is similar to other browsers, with functions such as InternetGetCookieRxW and IEGet ProtectedMode Cookie exploited for stealing the cookies in Microsoft Edge and Internet Explorer.
"If the authentication is successful on Facebook, for example, FFDroider fetches all Facebook pages and bookmarks, the number of the victim's friends, and their account billing and payment information from the Facebook Ads manager," reports Bleeping Computer.
The decryption and stealing of these cookies lead to clear text usernames and passwords, which are later extracted through an HTTP Post request from the C2 server in the malware campaign.
FFDroider isn't like other passwords hacking Trojans, its operators do not care about all account credentials present in the browsers. On the contrary, the malware operators focus on stealing credentials from social media accounts and e-commerce websites, these include Amazon, Facebook, Instagram, eBay, Etsy, Twitter, and WAX Cloud wallet's portal. Bleeping Computer reports, "after stealing the information and sending everything to the C2, FFDroid focuses on downloading additional modules from its servers at fixed time intervals."
