On Wednesday, Check Point, a security firm, revealed that a new and alarming malware campaign had breached the security of over one million Google accounts. The attack campaign has been named Gooligan. It is a new variant of the Android malware campaign. Shockingly, 13,000 new devices are breached on a daily basis.
Gooligan affects Android devices running Android Jelly Bean v4.1.x-4.3, KitKat v4.4 and Lollipop v5.x. These versions of Android run in about 74 percent of all Android devices. Essentially the malware affects some legitimate-looking applications found on third-party Android app stores. These are the famous alternatives to Google Play Store that promise to offer free versions of paid apps.
If you have downloaded any of the apps then there is a high chance that you are infected. Some of the infected apps are WiFi Enhancer, and YouTube Downloader. You can also check if your account is compromised by accessing the following website https://gooligan.checkpoint.com/. You can also review your application list in Settings -> Apps. The Gooligan malware roots infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.
A Google authorization token is a way to access the Google account and related services of a user. It is used by Google once a user successfully logged into this account. A stolen authorization token bypasses two-factor-authentication and allows hackers the desired access as the user is perceived as already logged in. The malware simulates clicks on app advertisements provided by legitimate ad networks and forces the app to install on a device. An attacker is paid by the network when one of these apps is installed successfully.
If your account has been breached you will have to make a clean installation of the Android OS in your device. This process is popularly referred to as “flashing”. You will need to get a certified technician to do this. Then you will need to change your Google account passwords.
Among the numerous steps that Google has taken include proactively notifying affected accounts, revoking affected tokens and deploying SafetyNet improvements to protect users from these apps in the future.
“We’re appreciative of both Check Point’s research and their partnership as we’ve worked together to understand these issues. As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall.”
-Adrian Ludwig, Google’s Director of Android Security