Android smartphone users have another malware to worry about, one that can get access to data on their Gmail, Google Photos, etc. Gooligan Malware has affected over 1 million devices and is a serious threat, according to a report by security firm Check Point Research. In a blogpost Check Point, revealed that “the attack campaign, named Gooligan, breached the security of over one million Google accounts,” and that it continues to attack over 13,000 new devices on a daily basis.
According to the security firm, the malware “steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more,” which is a serious flaw. Check Point says it is in touch with Google Security Team and is working with them to find out the source of this malware campaign.
“We’re appreciative of both Check Point’s research and their partnership as we’ve worked together to understand these issues,” said Adrian Ludwig, Google’s director of Android security in the blogpost. “As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall.”
So what exactly is Gooligan and how serious is the issue?
According to the research firm, it affects Android Jelly Bean, KitKat and Lollipop users, which is basically 74 per cent of the phones in the market. Unsurprisingly over 57 per cent of these phones are in Asia. The firm says they found multiple fake applications which were infected with the malware and those who’ve download these apps will find their devices are impacted by Gooligan. Check Point’s website has a full list of apps that are infected by this on their official blog.
How to check if you’re infected? What to do if you are?
Check Point has a website created called (https) gooligan.checkpoint.com where users can enter their Gmail address and check if it was breached. For those whose accounts were breached, Check Point recommends flashing your phone, and a reinstallation of the OS on the mobile device. It is best to get this done at an authorised service centre and it is also recommended that users change their Google account password after doing so.
And how does it impact your Android phone?
Check Point says it found malware code for Gooligan in several third-party Android app stores, while some of these apps are installed using phishing scams. They first found the code in the malicious SnapPea app last year, and other security vendors had also reported this malware.
According to the blog, “Logs collected by Check Point researchers show that every day Gooligan installs at least 30,000 apps fraudulently on breached devices or over 2 million apps since the campaign began.”
One the infected app is installed, “it sends data about the device to the campaign’s Command and Control (C&C) server.” From there a rootkit is downloaded on the device, thanks to several security patches missing from phones running Android 4, 5. The rootkit then gives hacked full control of the device, who can then run “privileged commands remotely,” and steal authorised tokens which bypasses the need for two-factor authentication.
Gooligan also injects a new “malicious module” into Google Play, which allows it to steal email data, install app from the Store and raise their ranking, install adware, etc. Check Point found how victims had left ratings, reviews for some apps even when they had no knowledge of installing the app.