A new Android malware called Gooligan, has managed to steal access to more than 1 million Google accounts. This malware is still active and is responsible for an additional 13,000 new breaches of Android devices daily, according Check Point Technologies.
According reasearch by Checkpoint this malware roots infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.
Gooligan is a new variant of the Android malware campaign found by checkpoint researchers in the SnapPea app last year. Vulnerable Android handsets include devices running OS versions 4 (Ice Cream Sandwich, Jelly Bean, and KitKat) and 5 (Lollipop).
Checkpoint found traces of the Gooligan malware code in dozens of legitimate-looking apps on third-party Android app stores. These stores apps are free, or offer free versions of paid apps.
However, the security of these stores and the apps they sell are not always verified. Gooligan-infected apps can also be installed using phishing scams where attackers broadcast links to infected apps to unsuspecting users via SMS or other messaging services.
The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device.
Checkpoint research team has found infected apps on third-party app stores, but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages.
After an infected app is installed, it sends data about the device to the campaign’s Command and Control (C&C) server.Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153).
If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.After achieving root access, Gooligan downloads a new, malicious module from the C&C server and installs it on the infected device.
How do you know if your Google account is breached?
You can check if your account is compromised by accessing the following web site that checkpoint created: https://gooligan.checkpoint.com/.
If your account has been breached, the following steps are required:
A clean installation of an operating system on your mobile device is required (a process called “flashing”). As this is a complex process, checkpoint recommend powering off your device and approaching a certified technician, or your mobile service provider, to request that your device be “re-flashed.”
Change your Google account passwords immediately after this process.