'Gooligans' Malware Infects More Than 1.3 Million Android Devices

The "Gooligan" Trojan horse, which compromises older Android devices and attempts to download other programs for affiliate fees, has given criminal operators access to more than 1 million Google accounts, according to security firm Check Point Software.

Gooligans Malware 2

A collection of rogue applications has compromised more than a million Android devices, harvesting the security tokens for Google’s services and using those tokens to download additional applications and post reviews on behalf of the users, security firm Check Point Software Technologies stated in research posted on Nov. 30.

The attack, which Check Point dubbed “Gooligan,” targets a some of the most popular versions of the Android operating system, which covers 73 percent of existing devices – those running Android versions 4.1 through 4.4 and 5.0, which are also known as Jelly Bean, KitKat and Lollipop, according to the Android Developers site.

The malware, which is included in a number of programs downloadable from third-party app stores, roots a vulnerable Android device and steals the user’s security credentials, Michael Shaulov, head of mobile products at Check Point, told eWEEK.

“We found that the malware was accessing a very important file, the crown jewels—your user name and the authorization token that allows you to access your Google accounts without having to log in,” he said.

The aim of the program is to download other programs from Google Play to collect affiliate fees for the malware’s operators and to post reviews using the victim’s credentials.

Google confirmed the existence of the mobile malware, saying the program is the latest version of a group of potentially harmful applications (PHAs) that it calls “Ghost Push.” In 2015, Google identified 40,000 apps associated with Ghost Push. This year, the operation has become more significant, with the company tracking more than 150,000 programs connected to Ghost Push.

Google confirmed that the Gooligan version of Ghost push does not steal user information, aside from the victim’s credentials.

“The motivation behind Ghost Push is to promote apps, not steal information and that held true for this variant,” Adrian Ludwig, Google’s director of Android security, said in a statement.

Check Point first became aware of the latest variant of the Ghost Push attack in August, when a customer found unknown malware on a device. The company analyzed the malware and tracked its communications to a central server, uncovering more than 700,000 stolen credentials last month. Each day, another 13,000 or so credentials were added to the trove as new devices became infected.

“When we followed up on where these tokens are being sent, we discovered a huge infrastructure with all these unique Google account tokens,” Shaulov said. “It seemed unbelievable that the biggest Google account breach to date was conducted through mobile malware.”

The attack is mainly affecting Android users in Asia, where apps are often downloaded from third-party app stores. Fifty-seven percent of users are in Asia, 19 percent in the Americas, 15 percent in Africa, and another 9 percent in Europe, according to Check Point.

Users should consider only using app stores, such as Google Play and Amazon’s app store, that review the security of submitted programs.

Infected users need to have their device erased and the operating system reinstalled by a certified technician or by a representative of the mobile carrier, Check Point said.

“If you are infected, the situation becomes much more complex,” Shaulov said. “The first thing this malware does is roots the device, basically putting a rootkit in the operating system.”

Immediately after, the user should change the password on their Google account.

Google recommends that users enable Verified Boot, do not download apps from third-party stores and update their device.

The latest Android operating system—version 7, also known as “Nougat”—is not affected by the attack, but only 0.3 percent of devices are running that version, while another 24 percent run version 6, Marshmallow.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...