Thursday, December 5, 2024
HomeMalwareOMG....Over 1 million Google accounts may have been breached by Gooligan malware

OMG….Over 1 million Google accounts may have been breached by Gooligan malware

Published on

SIEM as a Service

 

Check your google account is hacked or not by Gooligan

World’s  biggest  Cyber Security  firm checkpoint software revealed today a new and alarming malware campaign. The attack campaign, named Gooligan, breached the security of over one million Google accounts.

The number continues to rise at an additional 13,000 breached devices each day.

Check Point reached out to the Google Security team immediately with information on this campaign. Our researchers are working closely with Google to investigate the source of the Gooligan.

- Advertisement - SIEM as a Service
Google android Security Team Statement:

“We’re appreciative of both Check Point’s research and their partnership as we’ve worked together to understand these issues,” said Adrian Ludwig, Google’s director of Android security. “As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall.”

How the Gooligan infect your google Account:
one

Malicious software disguised as legitimate apps for Android smartphones and tablets has seized control of more than one million Google accounts since August, according to research from security firm Check Point Software Technologies Ltd.

This then allows the hackers to install various apps, which they then benefit from financially by rating on Google Play in the name of the user.

Who is Mostly affected around the globe:
two

While the number of those with verified cases of Gooligan had only reached around a million since, it was apparently infecting 13,000 new devices and installing 33,000 apps every day, including a significant number of enterprise accounts.

“Gooligan, part of the Ghost Push malware family, targets devices running Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which together represent nearly 74 percent of Android devices now in use.”

Important step you should take if your google account is breached:
  1. A clean installation of an operating system on your mobile device is required (a process called “flashing”). As this is a complex process, we recommend powering off your device and approaching a certified technician, or your mobile service provider, to request that your device be “re-flashed.”
  2. Change your Google account passwords immediately after this process.
How does Gooligan work?

The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device.

checkpoint research team has found infected apps on third-party app stores, but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages.

After an infected app is installed, it sends data about the device to the campaign’s Command and Control (C&C) server.

Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153).

These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user.

If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely

module allows Gooligan

  • Steal a user’s Google email account and authentication token information
  • Install apps from Google Play and rate them to raise their reputation
  • Install adware to generate revenue
 
How did Gooligan grows up?
three

The change in the way the malware works today may be to help finance the campaign through fraudulent ad activity. The malware simulates clicks on app advertisements provided by legitimate ad networks and forces the app to install on a device.

An attacker is paid by the network when one of these apps is installed successfully.

Logs collected by Check Point researchers show that every day Gooligan installs at least 30,000 apps fraudulently on breached devices or over 2 million apps since the campaign began.

What are Google authorization tokens?

A Google authorization token is a way to access the Google account and the related services of a user. It is issued by Google once a user successfully logged into this account.

When an authorization token is stolen by a hacker, they can use this token to access all the Google services related to the user, including Google Play, Gmail, Google Docs, Google Drive, and Google Photos.

While Google implemented multiple mechanisms, like two-factor-authentication, to prevent hackers from compromising Google accounts, a stolen authorization token bypasses this mechanism and allows hackers the desired access as the user is perceived as already logged in.

List of fake apps infected by Gooligan:
  • Perfect Cleaner
  • Demo
  • WiFi Enhancer
  • Snake
  • gla.pev.zvh
  • Html5 Games
  • Demm
  • memory booster
  • แข่งรถสุดโหด
  • StopWatch
  • Clear
  • ballSmove_004
  • Flashlight Free
  • memory booste
  • Touch Beauty
  • Demoad
  • Small Blue Point
  • Battery Monitor
  • 清理大师
  • UC Mini
  • Shadow Crush
  • Sex Photo
  • 小白点
  • tub.ajy.ics
  • Hip Good
  • Memory Booster
  • phone booster
  • SettingService
  • Wifi Master
  • Fruit Slots
  • System Booster
  • Dircet Browser
  • FUNNY DROPS
  • Puzzle Bubble-Pet Paradise
  • GPS
  • Light Browser
  • Clean Master
  • YouTube Downloader
  • KXService
  • Best Wallpapers
  • Smart Touch
  • Light Advanced
  • SmartFolder
  • youtubeplayer
  • Beautiful Alarm
  • PronClub
  • Detecting instrument
  • Calculator
  • GPS Speed
  • Fast Cleaner
  • Blue Point
  • CakeSweety
  • Pedometer
  • Compass Lite
  • Fingerprint unlock
  • PornClub
  • com.browser.provider
  • Assistive Touch
  • Sex Cademy
  • OneKeyLock
  • Wifi Speed Pro
  • Minibooster
  • com.so.itouch
  • com.fabullacop.loudcallernameringtone
  • Kiss Browser
  • Weather
  • Chrono Marker
  • Slots Mania
  • Multifunction Flashlight
  • So Hot
  • Google
  • HotH5Games
  • Swamm Browser
  • Billiards
  • TcashDemo
  • Sexy hot wallpaper
  • Wifi Accelerate
  • Simple Calculator
  • Daily Racing
  • Talking Tom 3
  • com.example.ddeo
  • Test
  • Hot Photo
  • QPlay
  • Virtual
  • Music Cloud
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Weaponized Word Documents Attacking Windows Users to Deliver NetSupport & BurnsRAT

The threat actors distributed malicious JS scripts disguised as legitimate business documents, primarily in...

ElizaRAT Exploits Google, Telegram, & Slack Services For C2 Communications

APT36, a Pakistani cyber-espionage group, has recently upgraded its arsenal with ElizaRAT, a sophisticated...

New CleverSoar Malware Attacking Windows Users Bypassing Security Mechanisms

CleverSoar, a new malware installer, targets Chinese and Vietnamese users to deploy advanced tools...