FFDroider Stealer Malware

A new identity stealer has appeared recently known as FFDroider, and this info-stealer malware is capable of hijacking social media accounts by stealing sensitive information like credentials and cookies from the victims’ browsers.

This new Windows-based malware, FFDroider has been identified by the security analysts at the Zscaler ThreatLabz team, and the data stolen by this malware were sent to the command and control server controlled by the threat actors.

It is becoming increasingly obvious that social media accounts, especially verified ones, are a prime target for hackers as they are a way for them to conduct various malicious activities like:- 

  • Cryptocurrency related scams
  • Financial theft
  • Malware distribution

When a scammer gains access to a social network’s ad platform, the threat actors can exploit the compromised credentials to create malicious ads and makes the ads more attractive to lucrate targets.

While on the victim’s machine, the FFDroider info-stealer disguises itself as the instant-messaging app “Telegram” to pretend itself as a legit app and evade detection.

Spread via Fake Cracks

This new malware creates a Windows registry entry with its own name, “FFDroider” once it is launched, and FFDroider comes packed with a popular packer, “ASPack v2.12.” 

Apart from this, the threat actors spread the FFDroider stealer via the following mediums:-

  • Software cracks
  • Free software
  • Games
  • Game Cracks 
  • Downloadable files from torrent sites
  • Free games

However, in the below flow chart you can see how FFDroider is installed on victims’ devices:-

Key Features of FFDroider

Here below we have mentioned all the key features of FFDroider info-stealer:-

  • Steals cookies from the victim’s machine.
  • Steals credentials from the victim’s machine.
  • Targets the social media platforms like Facebook, Instagram, etc to steal sensitive data.
  • Using stolen cookies, the stealer access the victims’ social media accounts and steals essential data to run malicious ads.
  • In Windows Firewall, it grasps all the inbound whitelisting rules.
  • To track the infection counts, threat actors use iplogger.org.

Browsers Targeted

The FFDroid malware targets all the major web browsers like:-

  • Google Chrome
  • All Chrome-based browsers
  • Mozilla Firefox
  • Internet Explorer
  • Microsoft Edge

By abusing the Windows Crypt API (CryptUnProtectData function) FFDroid read and parses the following things:-

  • Chromium SQLite cookie
  • Chromium SQLite Credential stores
  • Decrypts the entries

Social media & E-Commerce – Prime targets

While it is worth mentioning that FFDroid’s operators aren’t interested in all the credentials stored within the web browsers on their computers, unlike many other password-stealing trojans.

Here the operators of this stealthy malware target the social media sites and eCommerce sites when it comes to stealing passwords and credentials. And here are the platforms they mainly target:-

  • Facebook
  • Instagram
  • Amazon
  • eBay
  • Etsy
  • Twitter
  • WAX Cloud wallet

The threat actors target the social media platforms to reach a larger audience base by running and promoting malicious ad campaigns. 

In order to further reinforce its cyber-defences, FFDroid focuses on downloading additional modules from its servers at regular intervals in order to intercept and play with the information stolen by the C2 (the Control Center).

In the meantime, the cybersecurity experts at the Zscaler ThreatLabz team have strongly recommended users stay away from illegally downloaded software, as well as unfamiliar software sources to avoid falling victim to this type of malware.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.