World’s biggest Cyber Security firm checkpoint software revealed today a new and alarming malware campaign. The attack campaign, named Gooligan, breached the security of over one million Google accounts.
The number continues to rise at an additional 13,000 breached devices each day.
Check Point reached out to the Google Security team immediately with information on this campaign. Our researchers are working closely with Google to investigate the source of the Gooligan.
Google android Security Team Statement:
“We’re appreciative of both Check Point’s research and their partnership as we’ve worked together to understand these issues,” said Adrian Ludwig, Google’s director of Android security. “As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall.”
How the Gooligan infect your google Account:
Malicious software disguised as legitimate apps for Android smartphones and tablets has seized control of more than one million Google accounts since August, according to research from security firm Check Point Software Technologies Ltd.
This then allows the hackers to install various apps, which they then benefit from financially by rating on Google Play in the name of the user.
Who is Mostly affected around the globe:
While the number of those with verified cases of Gooligan had only reached around a million since, it was apparently infecting 13,000 new devices and installing 33,000 apps every day, including a significant number of enterprise accounts.
“Gooligan, part of the Ghost Push malware family, targets devices running Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which together represent nearly 74 percent of Android devices now in use.”
Important step you should take if your google account is breached:
- A clean installation of an operating system on your mobile device is required (a process called “flashing”). As this is a complex process, we recommend powering off your device and approaching a certified technician, or your mobile service provider, to request that your device be “re-flashed.”
- Change your Google account passwords immediately after this process.
How does Gooligan work?
The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device.
checkpoint research team has found infected apps on third-party app stores, but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages.
After an infected app is installed, it sends data about the device to the campaign’s Command and Control (C&C) server.
Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153).
These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user.
If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely
module allows Gooligan
- Steal a user’s Google email account and authentication token information
- Install apps from Google Play and rate them to raise their reputation
- Install adware to generate revenue
How did Gooligan grows up?
The change in the way the malware works today may be to help finance the campaign through fraudulent ad activity. The malware simulates clicks on app advertisements provided by legitimate ad networks and forces the app to install on a device.
An attacker is paid by the network when one of these apps is installed successfully.
Logs collected by Check Point researchers show that every day Gooligan installs at least 30,000 apps fraudulently on breached devices or over 2 million apps since the campaign began.
What are Google authorization tokens?
A Google authorization token is a way to access the Google account and the related services of a user. It is issued by Google once a user successfully logged into this account.
When an authorization token is stolen by a hacker, they can use this token to access all the Google services related to the user, including Google Play, Gmail, Google Docs, Google Drive, and Google Photos.
While Google implemented multiple mechanisms, like two-factor-authentication, to prevent hackers from compromising Google accounts, a stolen authorization token bypasses this mechanism and allows hackers the desired access as the user is perceived as already logged in.
List of fake apps infected by Gooligan:
- Perfect Cleaner
- WiFi Enhancer
- Html5 Games
- memory booster
- Flashlight Free
- memory booste
- Touch Beauty
- Small Blue Point
- Battery Monitor
- UC Mini
- Shadow Crush
- Sex Photo
- Hip Good
- Memory Booster
- phone booster
- Wifi Master
- Fruit Slots
- System Booster
- Dircet Browser
- FUNNY DROPS
- Puzzle Bubble-Pet Paradise
- Light Browser
- Clean Master
- YouTube Downloader
- Best Wallpapers
- Smart Touch
- Light Advanced
- Beautiful Alarm
- Detecting instrument
- GPS Speed
- Fast Cleaner
- Blue Point
- Compass Lite
- Fingerprint unlock
- Assistive Touch
- Sex Cademy
- Wifi Speed Pro
- Kiss Browser
- Chrono Marker
- Slots Mania
- Multifunction Flashlight
- So Hot
- Swamm Browser
- Sexy hot wallpaper
- Wifi Accelerate
- Simple Calculator
- Daily Racing
- Talking Tom 3
- Hot Photo
- Music Cloud