Android Gooligan hackers just scored the biggest ever theft of Google accounts. The battle against Android malware is ongoing, but it's a big world and Android is everywhere. It presents a tempting target for criminals, and the Gooligan malware is just the latest attempt to make a buck off the trusting nature of Smartphone users. This attack has compromised more than a million phones since August and as many as 13,000 new infections are occurring each day. It’s main aim, though, is not to pilfer all that juicy data in Gmail or Docs, but to force users into downloading apps as part of a huge advertising fraud scheme, making as much as $320,000 a month.
A Gooligan infection starts with downloading an infected app from a third-party app store. Once downloaded, Gooligan determines which Android Phone it is infected an take complete control over it. To do that, the attackers have used long-known vulnerabilities, such as VROOT and Towelroot, on devices running Android 4 through 5, including Jelly Bean, KitKat and Lollipop. Upon being installed by the user, it downloads a root exploit like Towelroot to gain full access to the device. The malware copies the user's account token and sends it to a remote server, giving the malware authors full access to the account data.
Devices Infected Region-Wise among 1 Million Users
Asia - 57% of users
Americas - 19% of users
Africa - 15% of users
Europe - 9% of users
Gooligan is spreading at an alarming rate: since the start of this month, it’s been racking up an average of 13,000 new infections every day, according to researchers from Check Point. The malicious software first gains a foothold on devices when users visit a website and download a third-party app. It does not appear the cyber criminals have done anything with all that user data yet. Instead, they are using the malware to inject code into the Play Store and download apps. They earn money from the ads in garbage apps like "Fast Cleaner" and "WiFi Accelerate." As many as 30,000 apps are being downloaded by infected devices every day, according to Check Point. The attackers have forced victims to download and give positive reviews to apps on Google Play, which provides an illicit revenue stream as the hackers also run advertisements within the applications.
The rate at which Gooligan is spreading is extremely high, but Google and Check Point are working together to deal with the threat. A tool has been released for users to scan their phones for infection, and Google has reset the account tokens for compromised accounts. Apps associated with Gooligan activity have also been pulled from the store. If you've got an older device, it's probably a good idea to avoid installing any random APKs you find online.
No user data theft, says Google
It does not appear the hackers are actually using the account credentials to pilfer user data. Google’s Android security chief, Adrian Ludwig, posted a blog about Gooligan today, saying the company had not seen any evidence of other fraudulent activity on the stolen accounts, outside of the promotion of apps. “The motivation behind Ghost Push is to promote apps, not steal information, and that held true for this variant,” said Ludwig.
[Ghost Push - Gooligan is a variant of an old piece of malware known as Ghost Push that Google has been fighting in earnest for the last year.]
Yes, my device is infected. Now what?
Check Point reports lists out two things that you would have to do.
- Firstly, a clean installation of the operating system on your mobile device via a process called “flashing”. This is a complex process, and it is recommend that users power off their device and approach a certified technician/mobile service provider.
- Secondly. change your Google account passwords as soon as possible.
It is also recommended that you should not download Android apps from stores, apart from the official Google store
Source : Android Police