Hackers Hide Credential Stealing Malware in Fake Cracked Software

Security researchers have spotted a new malware-pushing campaign. This time, the bad actors are using the FFDroider malware - a piece of malicious software designed to exfiltrate victim passwords and login details from Windows-based systems.

The campaign spreading FFDroider was spotted and detailed by a security researcher team with ZScaler. The team warned that the threat actors are hiding FFDroider inside files pretending to be cracked executables for legitimate paid software.

FFDroider grabs login info as it is typed

ZScaler described the effort to spread FFDroider as not just one but multiple ongoing campaigns. In addition to cracked installers, the malicious payload was found inside freeware downloads as well.

While FFDroider was primarily made to scrape login details for social media platforms such as Twitter, Facebook, and Instagram, it can also grab passwords for online trading platform accounts including eBay and Amazon. The malware steals those details when they are entered inside the browser login fields on a Windows system.

Once the hackers have obtained both the login name and password, they have pretty much unlimited power over the compromised account. From impersonation to committing fraud and hopping into other accounts linked inside the compromised one or using the same credentials, the possibilities are many. Assuming payment methods are linked inside the compromised account, the list of potential issues swells even further.

How to stay safe from the FFDroider malware campaign

In what looks like a very weak attempt to conceal its presence, FFDroider creates folders similar to those used by the Telegram app and tried to pose as the legitimate app.

On the surface, it seems fairly simple to stay safe from this particular campaign - just don't go looking for cracked software and illegal copies of paid products, right? However, the hackers may also use spam emails to disseminate fake offers for the cracked software and reel victims in this way.

The advice to enable two-factor authentication on every platform and app that supports it is as valid as ever. A lot of people choose not to enable multi-factor authentication because they can't be bothered with the extra 10 seconds it takes out of their time, but with so many digital threats taking aim at all sorts of app and service accounts, MFA is still every regular user's best bet.