Security Reaches from the Checkpoint Software Technologies has discovered new alarming malware campaign named Gooligan. With this Champaign, More than million android devices were infected resulting breach of over million Google accounts, and the number goes increasing average 13,000 new breached devices each day.
Check Point’s Security Team first encountered Gooligan’s code in the malicious SnapPea app last year In August 2016. About 60% of these devices belongs to Asia region followed by Americas with 19% and about 15 % are in Africa. Checkpoint team is working with google to investigate the source of the Gooligan.
How it infects ?
Gooligan is spreading through legitimate-looking app hosted on the third party android app store (other than Google Play Store). The infected application is installed through phishing campaign also application links were also shared using SMS and other communication services.
How Gooligan works ?
Once the infected application is installed in the phone device automatically connect with the Gooligan command & control servers (C&C). then it downloads the rootkit that takes advantages of multiple android 4 & 5 exploits some of them are VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153). These exploits are aged more than 2 years but still able to exploit the android phone because user failed to update the phone with latest security fixes and patches.
Once the exploits run successful attacker has the full access on the android phone and can execute privilege commands remotely. After that Gooligan downloads a new module from C&C server and installs it onto the infected device. This module takes over the Google Play Service to mimic user behavior so it goes undetected. This allows Gooligan to do:
- Steal a user’s Google email account and authentication token information
- Install apps from Google Play and rate them to raise their reputation Install adware to generate revenue
- The attacker uses the infected phone to install apps and adware which generate revenues for him.
- That not all Gooligan also leaves a positive review with a high rating on to the Google Play Store which he remotely installed on the phone.
How to check if your Google Account is breached
- Checkpoint with the help of Google created a database of compromised email address, you can check if your account is compromised.
- If your account is breached, follow the instructions.
- Firstly change your Google Account Password.
- Re-install the android operating system using flashing technique.
Take away from this breach.
This the biggest account breach in the Google history.
- Update your phone with latest security patches.
- Never install an application from UN-trusted sources.