'Gooligan': Android malware breached security of 1mn users - security firm
Security firm Check Point Software Technologies said Wednesday that apps infected with the malware and installed on an Android device use exploits in Android versions 4 and 5 to access "full control of the device and can execute privileged commands remotely."
"After achieving root access, Gooligan downloads a new, malicious module from the [campaign’s Command and Control] server and installs it on the infected device," Check Point wrote. "This module injects code into running Google Play or GMS [Google Mobile Services] to mimic user behavior so Gooligan can avoid detection, a technique first seen with the mobile malware HummingBad."
The module allows Gooligan to "steal a user's Google email account and authentication token information"; "install apps from Google Play and rate them to raise their reputation"; and "install adware to generate revenue," Check Point said.
Google's Adrian Ludwig, lead engineer for Android security said Google has "worked closely with Check Point" in recent weeks to protect Android users. He said Gooligan is a variant of Ghost Push, Android malware that Google has found to have more than 150,000 variants since it was first seen more than a year ago.
"Nicknamed ‘Gooligan’, this variant used Google credentials on older versions of Android to generate fraudulent installs of other apps," Ludwig wrote of the malware.
Ludwig said Google has yet to find any evidence of fraudulent access of Google accounts or of targeting of specific users. "The motivation behind Ghost Push is to promote apps, not steal information, and that held true for this variant," he said.
Google's actions to protect its users, Ludwig wrote, include "revoking affected users’ Google Account tokens, providing them with clear instructions to sign back in securely, removing apps related to this issue from affected devices, deploying enduring Verify Apps improvements to protect users from these apps in the future and collaborating with ISPs to eliminate this malware altogether."
Check Point offered a list of the 86 "fake apps" infected by Gooligan.
"Gooligan has breached over a million Google accounts," the firm said. "We believe that it is the largest Google account breach to date, and we are working with Google to continue the investigation. We encourage Android users to validate whether their accounts have been breached."