FFDroider Malware

FFDroider Malware Description

The FFDroider Malware has been categorized as an infostealer. This particular piece of malware is designed to focus on the victim's social media accounts and extract as much information from them as possible. Technical details about the threat were released in a report by the researchers who analyzed several samples of the threat.

The Infection Chain

Like many malware threats, FFDroider also is being spread via compromised video games and software cracks, free applications, and games, or other popular files downloaded from shady torrent websites. FFDroider will be deployed on the user's devices alongside the downloaded items. To avoid raising suspicions and being detected, the threat will disguise itself as the desktop version of the Telegram client. One of the first actions taken by the malware will be to create a new Windows Registry key named 'FFDroider.'

Once established on the system, the malware will begin extracting data stored in the installed Web browsers. Google Chrome and other Chromium-based browsers, Mozilla Firefox, Microsoft Edge, and Internet Explorer can all be affected by the threat. To obtain the data from the Chromium SQLite cookie and the stored credentials, FFDroider utilizes the Windows Crypt API and more specifically, the CryptUnProtectData function. For the other targeted browsers, the threat abuses functions, such as InternetGetCookieRxW and IEGet ProtectedMode Cookie.

The decrypted data results in cleartext information containing the victim's account credentials, such as usernames and passwords. The extracted details are then exfiltrated to the Command-and-Control server of the operation via an HTTP POST request.

Threatening Goals

The operators of FFDroider are not satisfied with merely gaining access to the victim's accounts. No, FFDroider is designed with additional invasive capabilities. Indeed, as part of its actions, the threat uses the obtained usernames and passwords to authenticate and access the user's social media and eCommerce accounts on Facebook, Amazon, eBay, Instagram, Etsy, Twitter and the Wax Cloud wallet.

For example, FFDroider can open the victim's Facebook and fetch all Facebook pages and bookmarks, the number of friends, and the account's billing and payment information taken from the Facebook Ads manager. On Instagram, the threat will open the account edit page to see the user's email address, phone number, username, password and other confidential details.

It should be noted that FFDroid possesses the ability to download and deploy additional corrupted modules on the infected systems. Doing so can allow the attackers to perform various other invasive actions depending on their specific goals.