More than 1 million Google accounts have been breached by Android malware dubbed “Gooligan,” Check Point reported Wednesday.
The malware roots infected devices and steals authentication tokens that can be used to access data from various Google apps including Gmail, Google Docs, G Suite and Google Drive.
It potentially affects devices running Android 4 and 5.
Devices are infected when their users download legitimate-looking apps from third-party Android app stores, or click on poisoned links in SMS or other messages that lead to infected apps, Check Point said.
“Android application development and installation is similar to the Wild West,” said Thomas Pore, director of IT and services at Plixer.
“While there are rules and security vetting, it’s still very easy to get yourself in trouble,.
A Question of Identity
Gooligan is a new variant of the Android malware campaign found in the SnapPea app, according to Check Point.
However, it could be a variant of Ghost Push, as Adrian Ludwig, Google’s director of Android Security, has suggested.
Google last year found more than 40,000 apps associated with Ghost Push, he said, noting that the company’s systems now detect and prevent installation of more than 150,000 variants of the malware.
How Gooligan Works
Gooligan-infected apps send data about infected devices to the campaign’s command and control server, then download a rootkit such as Vroot or Towelroot.
That raises the question of why Google hasn’t done anything to prevent the risky activity.
“Support is expensive, and, when you’re Google or any other vendor,” said Michael Jude, a program manager at Stratecast/Frost & Sullivan.
“You have to plan allocation of resources for these things, since there are always user problems.
Once the device is rooted, Gooligan downloads a new malicious module that lets it
- steal a user’s Gmail account and authentication token information, which bypasses Google’s two-factor authentication and other security mechanisms;
- install apps from Google Play and rate them to raise their reputation; and
- install adware to generate revenue.
The malware also fakes device information such as IMEI and IMSI, so it can download an app twice but make it appear that the downloads are on different devices, thus doubling the potential revenue from the apps.
Apps infected by Gooligan include “Perfect Cleaner,” “WiFi Enhancer,” “Memory Booster,” “Battery Monitor” and “Weather.”
Protecting the User
Google has removed from Google Play apps associated with the Ghost Push family, and apps that benefited from installs delivered by the malware, Google’s Ludwig noted.
It also has improved Verify Apps to protect users in the future.
Google has notified users known to have been affected by Gooligan. It also has removed their Google Account tokens and provided them simple instructions to sign in securely, Ludwig said.
Further, it has been working with the Shadowserver Foundation, as well as multiple major ISPs that provided the infrastructure used to host and control Gooligan, in order to take down the infrastructure.
Devices with up-to-date security patches are safe, Ludwig said. Those with a system image, like Google’s Nexus and Pixel devices, can remove the malware through a system software reinstall.
Owners of newer devices, including those compatible with Android 6.0, have Verified Boot enabled, and can remove Ghost Push easily, Ludwig pointed out.
Patches often are delayed by wireless carriers because they need to test them for compatibility first.
Gooligan “is turning out to have serious repercussions,” Enderle said, “so I wouldn’t be surprised if Google and the carriers are discussing update periodicity right now.”