Million Google Accounts Hacked by ‘Gooligan’ Android Malware

Security researchers have warned that Android malware has compromised more than 1 million Google accounts, in the latest security scare affecting personal data.

Researchers at Check Point Software Technologies said that it discovered a “new and alarming malware campaign”, which it is calling Gooligan.

And the malware campaign is still active, with the researchers seeing an additional 13,000 breached Android devices each day.

Gooligan Malware

Check Point said Gooligan is a new variant of another Android malware campaign it found last year. It seems that the malware ‘roots’ infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive etc.

The researchers have contacted Google’s Security teams and is working with them to investigate the source of the Gooligan campaign.

“We’re appreciative of both Check Point’s research and their partnership as we’ve worked together to understand these issues,” said Adrian Ludwig, Google’s director of Android security. “As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall.”

According to Check Point, Gooligan potentially affects devices on Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which is over 74 percent of in-market devices today. About 57 percent of these devices are located in Asia and about nine percent are in Europe.

The researchers also identified over 80 fake apps available on third party Android web stores, that are infected with this malware, and anyone who has downloaded these fakes apps could be infected.

Another infection route is phishing scams where attackers broadcast links to infected apps to unsuspecting users via SMS or other messaging services.

Check Point said hundreds of the email addresses that have been compromised are associated with enterprise accounts worldwide. It advises Android users to check if their account has been compromised by accessing the following web site that it has created here.

If you account has been compromised, Check Point advises the user to do a clean installation of the operating system on their device. It is fairly complex process, and it says users should utilise a “certified technician, or your mobile service provider”.

It also advised users to change their Google account passwords immediately after this process.

But how does Googlian work? Well according to Check Point, the infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device. After an infected app is installed, it sends data about the device to the campaign’s Command and Control (C&C) server.

“Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153),” said Check Point. “These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.”

After the device is rooted, Gooligan downloads a new, malicious module from the C&C server and installs it on the infected device. This module injects code into running Google Play or GMS (Google Mobile Services) to mimic user behaviour so Gooligan can avoid detection and steal Google account information.

“Gooligan has breached over a million Google accounts,” said Check Point. “We believe that it is the largest Google account breach to date, and we are working with Google to continue the investigation. We encourage Android users to validate whether their accounts have been breached.”

Android Security

Android of course has a fairly poor security reputation compared to other mobile platforms. In October alone Google patched a massive 78 Android vulnerabilities.

Last month it issued a supplemental patch for the Dirty COW Linux exploit that can be used by hackers to gain some control over some Android devices and execute malicious code.

Prior to that researchers from MWR Labs discovered a flaw in the Android Telephony API, which flags warnings about apps trying to send premium rate messages without user consent. The flaw allowed the API to be manipulated by malware to display a message controlled by malicious code.

Quiz: What do you know about Android?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

3 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

5 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

7 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

7 hours ago