Subscribe

Gooligan malware breaches 1m Google accounts

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 01 Dec 2016
The new malware campaign roots Android devices and steals e-mail addresses and authentication tokens stored on them.
The new malware campaign roots Android devices and steals e-mail addresses and authentication tokens stored on them.

A new variant of Android malware, dubbed Gooligan, has breached the security of more than one million Google accounts.

This was revealed by researchers at Israeli-based cyber security firm Check Point Software Technologies.

Android is the biggest operating system used on mobile devices today. According to a recent IDC report, Android dominates the smartphone market with a share of 87.6%.

The new malware campaign roots Android devices and steals e-mail addresses and authentication tokens stored on them.

With this information, Check Point says, attackers can access users' sensitive data from Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite.

"This theft of over a million Google account details is very alarming and represents the next stage of cyber attacks," says Michael Shaulov, Check Point's head of mobile products. "We are seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them."

According to Check Point, the campaign infects 13 000 devices each day and is the first to root over a million devices. It adds that hundreds of the e-mail addresses affected are associated with enterprise accounts worldwide.

Gooligan targets devices on Android 4 (Jelly Bean, KitKat) and Android 5 (Lollipop), which represent nearly 74% of Android devices in use today, the Israeli firm notes.

After attackers gain control over the device, they generate revenue by fraudulently installing apps from Google Play and rating them on behalf of the victim. Every day, Gooligan installs at least 30 000 apps on breached devices, or over two million apps since the campaign began.

Check Point says it reached out to the Google security team immediately with information on this campaign.

"We appreciate Check Point's partnership as we've worked together to understand and take action on these issues. As part of our ongoing efforts to protect users from the Ghost Push family of malware, we've taken numerous steps to protect our users and improve the security of the Android ecosystem overall," says Adrian Ludwig, Google's director of Android security.

Among other actions, Google has contacted affected users and revoked their tokens, removed apps associated with the Ghost Push family from Google Play, and added new protections to its Verify Apps technology.

Check Point's Mobile Research Team first encountered Gooligan's code in the malicious SnapPea app last year.

In August 2016, the malware reappeared with a new variant and has since infected at least 13 000 devices per day. About 57% of these devices are located in Asia and about 9% are in Europe.

Hundreds of the exposed e-mail addresses are associated with enterprises around the world. The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device, or by clicking on malicious links in phishing attack messages.

"If your account has been breached, a clean installation of an operating system on your mobile device is required. This complex process is called flashing, and we recommend powering off your device, and approaching a certified technician or your mobile service provider, to re-flash your device," adds Shaulov.

Share