Android Malware Hits Google Accounts

Tuesday, December 6, 2016 @ 05:12 PM gHale

A new variant of Android malware is capable of breaching the security of more than one million Google accounts, researchers said.

The new malware campaign, named Gooligan, roots Android devices and steals email addresses and authentication tokens stored on them, said researchers at Check Point. With this information, attackers can access users’ sensitive data from Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite.

AirDroid Hole Affects Android Users
Android Attacks Set to Rise: Report
Steal a Tesla Using an Android App
Android Devices Suffer from OTA Hole

Key findings from Check Point include:
• The campaign infects 13,000 devices each day and is the first to root over a million devices.
• Hundreds of email addresses end up associated with enterprise accounts worldwide.
• Gooligan targets devices on Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which represent nearly 74 percent of Android devices in use today.
• After attackers gain control over the device, they generate revenue by fraudulently installing apps from Google Play and rating them on behalf of the victim.
• Every day Gooligan installs at least 30,000 apps on breached devices, or over 2 million apps since the campaign began.

Check Point reached out to the Google security team immediately with information on this campaign.

“As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall,” said Adrian Ludwig, Google’s director of Android security.

Among other actions, Google contacted affected users and revoked their tokens, removed apps associated with the Ghost Push family from Google Play, and added new protections to its Verify Apps technology.

You can check if your account suffered compromise by accessing the following web site created by Check Point.

If your account ended up been breached, the user should take the following steps:
• A clean installation of an operating system on your mobile device is required (a process called “flashing”). As this is a complex process, we recommend powering off your device and approaching a certified technician, or your mobile service provider, to request that your device be “re-flashed.”
• Change your Google account passwords immediately after this process.

The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device, according to the Check Point blog post. “Our research team has found infected apps on third-party app stores, but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages. After an infected app is installed, it sends data about the device to the campaign’s Command and Control (C&C) server.”

Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the VROOT and Towelroot. These exploits still plague devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user, the researchers said. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.

Leave a Reply

You must be logged in to post a comment.