Security researchers at Check Point Software Technologies have uncovered a new variant of Android malware that the company estimates has breached the security of more than one million Google accounts. The malware is used to steal passwords and bloat recommendations, among other things. The company has published a long list of fake apps infected by the malware.
Gooligan -- the name of the malware campaign --
roots itself in Android devices and steals email address and stored authentication tokens, which Google has been using for years to help protect users. Through the code, attackers can access sensitive
data of users from Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite. "If rooting is successful, the attacker has full control of the device
and can execute privileged commands remotely," according to the researchers.
Researchers claim that through the hundreds of email addresses associated with enterprise accounts worldwide, Gooligan has infected more than 13,000 devices each day and is the first to root more than a million devices -- and each day the malware installs at least 30,000 apps on breached devices or more than 2 million apps since the campaign began, per researchers. The malware is used to puff up reviews on apps, so that users will download them to spread the virus.
After attackers gain control over the device, they generate revenue by fraudulently installing apps from Google Play and rating them on behalf of the victim. Gooligan targets devices on Android 4 -- better known as the operating systems Jelly Bean, KitKat, and Android 5, also known as Lollipop -- which represent nearly 74% of Android devices in use today, according to Check Point researchers.
The malware allows Gooligan to steal a user's Google email account, install an app from Google Play and rate them to raise their reputation. It also lets the module install adware to generate revenue. "Ad servers, which don’t know whether an app using its service is malicious or not, send Gooligan the names of the apps to download from Google Play," per researchers. "After an app is installed, the ad service pays the attacker. Then the malware leaves a positive review and a high rating on Google Play using content it receives from the C&C server."
Check Point's research team identified several instances by cross-referencing data from breached devices with Google Play app reviews. The team warns that this should come as a reminder of why users shouldn’t rely on ratings alone to decide whether to trust an app.
Jeff Zacuto, a Check Point security expert, believes that the malware is spread by downloading and installing infected apps, either from third-party app stores or by tapping malicious links in emails, SMS or instant messages. The popularity of third-party app stores in Asia could explain the higher rate of infection in that region.
Adrian Ludwig, director of Android security at Google, wrote in a Google+ post that during the last few weeks the company's researchers have worked closely with Check Point to investigate and protect users from this variant nicknamed "Gooligan."
Ludwig writes that Gooligan is part of a family of malware called Ghost Push, which fall into the category of "hostile downloaders."
"These apps are most often downloaded outside of Google Play and after they are installed, Ghost Push apps try to download other apps," Ludwig writes. "For over two years, we’ve used Verify Apps to notify users before they install one of these PHAs and let them know if they’ve been affected by this family of malware."
The malware uses older versions of Android to infiltrate the apps. In 2015, Google found more than 40,000 apps associated with Ghost Push, but the company's systems now detect and prevent installation of more than 150,000 variants of Ghost Push.