New malware called Gooligan has breached more than one million Google Accounts and that number increases every day.
Check Point says the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.
It comes from downloading legitimate but infected apps from third-party app stores – there is no evidence that these are in Google Play. Third-party app stores are popular because many of their apps are free, or offer so-called “cracked” free versions of paid apps. Gooligan-infected apps can also be installed if one is caught up in a phishing scams where attackers broadcast links to infected apps to unsuspecting users via SMS or other messaging services.
Check Point says Gooligan has breached over a million Google accounts. It believes that it is the largest Google account breach to date, and is working with Google to continue the investigation. It urges Android users to validate whether their accounts have been breached.
{loadposition ray}
What it does
Full details are on the Check Point blog. However, it seems to be limiited to older versions 4 and 5 of Android.
After achieving root access, Gooligan downloads a new, malicious module from the command anc control server and installs it on the infected device. This module injects code into running Google Play or GMS (Google Mobile Services) to mimic user behaviour so Gooligan can avoid detection, a technique first seen with the mobile malware HummingBad. The module allows Gooligan to:
- Steal a user’s Google email account and authentication token information;
- Install apps from Google Play and rate them to raise their reputation; and
- Install adware to generate revenue.
How can you check?
You can check if your account is compromised by accessing the Check Point testing website.
If your account has been breached, the following steps are required:
- A clean installation of an operating system on a mobile device is required (a process called “flashing”). As this is a complex process, it is recommended to power off the device and approach a certified technician, or mobile service provider, to request that the device is “re-flashed.”
- Change Google account passwords immediately after this process.