A new malware campaign, dubbed Gooligan by Check Point, has successfully breached more than 1 million Google accounts up to this point according to the company.
About 13,000 new devices are breached every day by the malware campaign. According to Check Point's research, Android 4 and 5 are the main target of the attack which account for a little bit less than 75% of all Android devices out there.
The breach starts with the download of an infected application. Apps like WiFi enhancer, Perfect Cleaner, or Memory Booster are but some of the apps that are infected by Gooligan.
These applications are usually not offered on Google Play, but on third-party application stores or direct links on websites, in emails or messages.
When an infected app is installed on the device, it tries to communicate with a command and control server. It sends data about the device to the server, and gets a rootkit from the server in return. This rootkit exploits several vulnerabilities in Android 4 and 5.
The main issue here is that while patches are available, they may not be available for all devices, or may not have been installed by the user.
The rooting, if successful, gives the attacker full control of the device. Gooligan downloads a new module from the server and installs it on the device. This module is designed to avoid detection by Google Play or Google Mobile Services.
This module, according to Check Point, allows the attacker to steal the user's Google email account and authentication token, install apps from Google Play, and rate these apps, install adware on the device to generate revenue.
One common method of earning revenue on breached phones is to get paid for application installations. Since this is not a issue if the system is under full control, this is one of the easier ways for attackers to make money.
Check Point created an online tool that you may use to find out whether your Google account has been breached.
All you need to do is visit the website linked above, enter your Google email address in the form, solve the captcha, and hit the check button afterwards.
If your account has been breached, you need to perform the following operations immediately:
Now You: Has your device been affected by Gooligan?
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.