An aggressive malware strain dubbed Gooligan has compromised 1 million accounts associated with mobile devices, according to security firm Check Point Software Technologies.
The malware targets versions 4 and 5 of Android phones, which accounts for 74 percent of users, reports ArsTechnica. Gooligan can steal the authentication tokens of Google accounts for any affected Androids running Ice Cream Sandwich, Jelly Bean, KitKat or Lollipop.
Here’s what you need to know about the hack:
1. Gooligan is the Largest Breach of Google Accounts According to Check Point
The security firm working with Google to neutralize Gooligan believes it is the largest ever Google account breach. The malware can either be installed via downloading one of 86 infected fake apps through a third party app store or falling for a phishing scam, such as clicking on a fraudulent link in an email. A list of apps infected by Gooligan is available on Check Point’s blog post.
Google advises that users download from the Google Play store, where all the apps are certified. However, many users turn to third party app stores because they can offer free versions of paid apps, says Check Point. According to Check Point, over one million accounts have been breached by Gooligan since August 2016 after nearly a year of silence from the malware’s creators.
Checkpoint has created a site where you can check to see if your Google account has been infected. The security firm recommends a clean installation and new account passwords for infected devices.
2. Google Said that No Data Had Been Stolen From Personal Accounts
Google, Android and Check Point have been working together to minimize the threats presented by Gooligan. Android engineer Adrian Ludwig wrote in a blog post that there’s no evidence Gooligan has accessed users’ data or targeted specific users. Google uses a service called Verify Apps to detect signs of malware in apps downloaded from a third party app store. Ludwig classified Gooligan in the family of malware known as ‘Ghost Push’, which try to download other apps. Google has been removing malicious apps from Google Play and restoring security to those affected by the ‘Ghost Push’ family of malware.
Users need to grant their devices permission to download apps outside the Play Store. Google recommends keeping app-verification on to prevent account breaches. The service known as Verify App will stop the installation of Gooligan and warn the user about the threat.
3. Gooligan Writes Positive Fake Reviews, Downloads Apps and Tries to Access Personal Data
Once installed, Gooligan will try to steal authentication tokens from a user’s Google accounts, which allow it to access accounts without a password. The malware also posts fake reviews and downloads other apps. Gooligan generates revenue from ad servers after downloading apps via an infected app. After automatically installing an app, the malware will leave a high rating on Google Play. The ad servers can’t distinguish whether an app using its service is authentic or malicious.
“Our research team was able to identify several instances of this activity by cross-referencing data from breached devices with Google Play app reviews,” Check Point researchers wrote. “This is another reminder of why users shouldn’t rely on ratings alone to decide whether to trust an app.”
4. The Malware Exploits Known Vulnerabilities on Older Versions of Android
Once downloaded, the malware will send device data back to its Command and Control Server, according to Check Point researchers. From there, Gooligan downloads software that manipulates known vulnerabilities in Android phones that have not been fully patched yet. Once the security hole is exploited, Gooligan will injects malicious code into the phone that provides it with cover from detection.
Google says that devices with security patches won’t be affected. The malware was first detected last year in the SnapPea app, which allows you to control your Android device via a PC.
Here is a statement Check Point researchers published Wednesday morning
The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device. Our research team has found infected apps on third-party app stores, but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages. After an infected app is installed, it sends data about the device to the campaign’s Command and Control (CC) server.
Gooligan then downloads a rootkit from the CC server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153). These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.
After achieving root access, Gooligan downloads a new, malicious module from the CC server and installs it on the infected device. This module injects code into running Google Play or GMS (Google Mobile Services) to mimic user behavior so Gooligan can avoid detection, a technique first seen with the mobile malware HummingBad.
5. Most of the Infected Devices Are in Asia
Check Point revealed that over half of the infected devices are in Asia, with about 19 percent in the Americas. Two of the 86 apps infected with Gooligan have Chinese names. Here’s the breakdown of Gooligan infected devices, according to Check Point. More than 1 million accounts have been breached so far.
Asia: 57 percent
Americas: 19 percent
Africa: 15 percent
Europe: 9 percent