An information stealer, FFDroider, has been stealing credentials and cookies saved in web browsers to hijack the social media accounts of targeted users.

What’s happening?

Researchers from Zscaler spotted the infostealer and published a report on the recent samples. 
  • FFDroider spreads via software cracks, games, free software, and files downloaded from torrent sites. Installing such downloads leads to FFDroider installation, disguised as the Telegram desktop app.
  • It targets cookies and account credentials saved in multiple web browsers such as Google Chrome (and Chrome-based browsers), Internet Explorer, Microsoft Edge, and Mozilla Firefox.
  • The attackers behind FFDroid are focused on stealing credentials for Instagram, Facebook, eBay, Etsy, Amazon, Twitter, and WAX Cloud wallets.
  • The researchers suspect that the attackers use these stolen credentials to authenticate on these platforms and run fraudulent ad campaigns to advertise their malware.

Technical analysis of campaign

Once launched, the malware creates a Windows registry key named FFDroider.
  • The stealer reads and parses the Chromium SQLite cookie and SQLite Credential stores and decrypts the entries by compromising Windows Crypt API and the CryptUnProtectData function.
  • The method is the same for the other browsers, wherein the functions InternetGetCookieRxW and IEGet ProtectedMode Cookie are used by the attacker for grabbing all cookies saved in Explorer and Edge.
  • The decryption and stealing end up in cleartext usernames and passwords, which are then sent via an HTTP POST request to the - http[:]//152[.]32[.]228[.]19/seemorebty (the C2 server).


Infostealers are now becoming the most commonly used malware in cyberattacks. Users should avoid illegal downloads and unknown software sources. Further, users can upload their downloads to VirusTotal to check if the download files or software are genuine or malicious.

Cyware Publisher