Facebook Users Targeted By Android Policy Exploit

A few months back, we discussed the Android Same Origin Policy (SOP) vulnerability, which we later found to have a wider reach than first thought. Now, under the collaboration of Trend Micro and Facebook, attacks are found which actively attempt to exploit this particular vulnerability, whose code we believe was based in publicly available Metasploit code. This attack targets Facebook users via a link in a particular Facebook page that leads to a malicious site. This page contains obfuscated JavaScript code (see in Figure 1 below), which includes an attempt to load a Facebook URL (seen in Figure 2) in an inner frame. The user will only see a blank page as the page's HTML has been set not to display anything via its div tag (Figure 3), while the inner frame has a size of one pixel (Figure 4).

Figure 1. Malware code segment upon opening the Facebook page

Figure 2. Corresponding content of opened Facebook page

Figure 3. The main page is set to be invisible

Figure 4. The inner frame has a size of one pixel

While these routines are being carried out, the SOP bypass is being performed. A remote JavaScript file is loaded from a legitimate cloud storage provider:

Figure 5. The JavaScript file that performs SOP bypass

The said file contains the malicious code of this attack and allows attackers to carry out the following activities or routines on Facebook:

Add friends
Like and follow Facebook pages
Modify subscriptions
Authorize a Facebook app to access the user’s public profile, friends list, birthday information, likes and friends’ likes
Steal the victim’s access tokens and upload them to their server at http://{BLOCKED}martforchristmas.website/walmart/j/index.php?cid=544fba6ac6988&access_token= $token;
Collect analytics data (such as victims’ location, HTTP referrer, etc.) using the legitimate service at https://whos.{BLOCKED}ung.us/pingjs/

In addition to the code at the above site, we found a similar attack at http://www.{BLOCKED}php.com/x/toplu.php. We believe both of them are created by the same author because they share several function names, as well as the client_id of the Facebook app. Which app was authorized? The client_id involved in this malware was “2254487659”. This is an official BlackBerry App maintained by BlackBerry. We confirmed with BlackBerry and clarified that this malware is trying to take advantage of the trusted BlackBerry brand name and steal user’s access-tokens, which can be used to make requests to Facebook APIs and read user’s information or to publish content to Facebook on behalf of a person. Blackberry released this statement: “The mobile malware using the Android SOP Exploit (Android Same Origin Policy Bypass Exploit) is designed to target Facebook users regardless of their mobile device platform. However, it attempts to take advantage of the trusted BlackBerry brand name by using our Facebook web app. BlackBerry is continuously working with Trend Micro and Facebook to detect and mitigate this attack. Note that the issue is not a result of an exploit to Blackberry’s hardware, software, or network.” Google has already released fixes for this vulnerability as noted in our earlier post. However, not all users may be able to update their browser and/or Android version. Until device vendors are able to release patches, users will still be at risk. The threats related to this attack are detected by Trend Micro products as JS_ANDRSOPEXP.A and HTML_ANDRSOPEXP.A.