Security researchers have warned that Android malware has compromised more than 1 million Google accounts, in the latest security scare affecting personal data.
Researchers at Check Point Software Technologies said that it discovered a “new and alarming malware campaign”, which it is calling Gooligan.
And the malware campaign is still active, with the researchers seeing an additional 13,000 breached Android devices each day.
Check Point said Gooligan is a new variant of another Android malware campaign it found last year. It seems that the malware ‘roots’ infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive etc.
The researchers have contacted Google’s Security teams and is working with them to investigate the source of the Gooligan campaign.
“We’re appreciative of both Check Point’s research and their partnership as we’ve worked together to understand these issues,” said Adrian Ludwig, Google’s director of Android security. “As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall.”
According to Check Point, Gooligan potentially affects devices on Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which is over 74 percent of in-market devices today. About 57 percent of these devices are located in Asia and about nine percent are in Europe.
The researchers also identified over 80 fake apps available on third party Android web stores, that are infected with this malware, and anyone who has downloaded these fakes apps could be infected.
Another infection route is phishing scams where attackers broadcast links to infected apps to unsuspecting users via SMS or other messaging services.
Check Point said hundreds of the email addresses that have been compromised are associated with enterprise accounts worldwide. It advises Android users to check if their account has been compromised by accessing the following web site that it has created here.
If you account has been compromised, Check Point advises the user to do a clean installation of the operating system on their device. It is fairly complex process, and it says users should utilise a “certified technician, or your mobile service provider”.
It also advised users to change their Google account passwords immediately after this process.
But how does Googlian work? Well according to Check Point, the infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device. After an infected app is installed, it sends data about the device to the campaign’s Command and Control (C&C) server.
“Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153),” said Check Point. “These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.”
After the device is rooted, Gooligan downloads a new, malicious module from the C&C server and installs it on the infected device. This module injects code into running Google Play or GMS (Google Mobile Services) to mimic user behaviour so Gooligan can avoid detection and steal Google account information.
“Gooligan has breached over a million Google accounts,” said Check Point. “We believe that it is the largest Google account breach to date, and we are working with Google to continue the investigation. We encourage Android users to validate whether their accounts have been breached.”
Last month it issued a supplemental patch for the Dirty COW Linux exploit that can be used by hackers to gain some control over some Android devices and execute malicious code.
Prior to that researchers from MWR Labs discovered a flaw in the Android Telephony API, which flags warnings about apps trying to send premium rate messages without user consent. The flaw allowed the API to be manipulated by malware to display a message controlled by malicious code.