Researchers say they’ve uncovered a family of Android-based malware that has compromised more than 1 million Google accounts, hundreds of them associated with enterprise users.
Gooligan, as researchers from security firm Check Point Software Technologies have dubbed the malware, has been found in at least 86 apps available in third-party marketplaces. Once installed, it uses a process known as rooting to gain highly privileged system access to devices running version 4 (Ice Cream Sandwich, Jelly Bean, and KitKat) and version 5 (Lollipop) of Google’s Android operating system. Together, the vulnerable versions account for about 74 percent of users.
The rooted devices then download and install software that steals the authentication tokens that allow the phones to access the owner’s Google-related accounts without having to enter a password. The tokens work for a variety of Google properties, including Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite. In a blog post published Wednesday morning, Check Point researchers wrote:
The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device. Our research team has found infected apps on third-party app stores, but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages. After an infected app is installed, it sends data about the device to the campaign’s Command and Control (C&C) server.
Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153). These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.
After achieving root access, Gooligan downloads a new, malicious module from the C&C server and installs it on the infected device. This module injects code into running Google Play or GMS (Google Mobile Services) to mimic user behavior so Gooligan can avoid detection, a technique first seen with the mobile malware HummingBad. The module allows Gooligan to:
- Steal a user’s Google email account and authentication token information
- Install apps from Google Play and rate them to raise their reputation
- Install adware to generate revenue
Ad servers, which don’t know whether an app using its service is malicious or not, send Gooligan the names of the apps to download from Google Play. After an app is installed, the ad service pays the attacker. Then the malware leaves a positive review and a high rating on Google Play using content it receives from the C&C server.
Update: In a separate blog post also published Wednesday morning, Director of Android Security Adrian Ludwig said he and other Google officials have worked closely with Check Point over the past few weeks to investigate Gooligan and to protect users against the threat it poses. He said there’s no evidence data was accessed from compromised accounts or that individual users were targeted. He also said Google has been using a service called Verify Apps to scan individual handsets for signs of Gooligan and other Ghost Push apps. When detected, device owners receive a warning and installations are halted.
“We’ve taken many actions to protect our users and improve the security of the Android ecosystem overall,” Ludwig wrote. “These include: revoking affected users’ Google Account tokens, providing them with clear instructions to sign back in securely, removing apps related to this issue from affected devices, deploying enduring Verify Apps improvements to protect users from these apps in the future and collaborating with ISPs to eliminate this malware altogether.”
Gooligan is an aggressive variant of Ghost Push, a piece of Android malware that came to light in September 2015. There’s no indication that any of the fraudulent apps containing the new Gooligan code have ever been available in the official Google Play Market. About 57 percent of devices infected by Gooligan are located in Asia, about 19 percent are in the Americas, about 15 percent are in Africa, and about 9 percent are in Europe.
Android users who have downloaded apps from third-party markets can visit the Check Point blog post for a list of the 86 apps known to contain Gooligan. Alternatively, users can visit this link to see if the Google account associated with their device has been compromised. Infected phones can only be disinfected by reflashing them with a clean installation of Android. Passwords for the associated Google account should be changed immediately afterward.
Post updated to reflect a change Check Point made to geographical infection figures.