As if worrying that your Android might suddenly explode wasn’t enough to worry about. Researchers at Security fIrm Check Point have just announced the emergence of a new strain of Android-attacking malware, which they’re calling Gooligan, a particularly powerful variant of an older Android malware called Ghost Push.
Spreading through apps in third party app stores, Gooligan is affecting 13,000 devices a day and targets Android versions 4 and 5, Jelly Bean, KitKat and Lollipop, which represent 74 percent of Androids on the market today. It can also be downloaded by clicking infected links in phishing messages. Newer versions of the OS are unaffected (but may still explode. Happy Android-ing!).
Once a user downloads one of the 86 fake apps hosting the malware, or clicks a phishing link, Gooligan downloads a rootkit and takes advantage of two well known vulnerabilities. In this case, the vulnerabilities are still alive and well on the user’s device, apparently because the user didn’t take the time to install the proper security patches. The attacker is then granted total control over the device and can steal all Google account information (including Gmail, photos, and drive), install apps, and install adware to collect revenue. One of the campaign’s main goals is to download apps from the Google Play Store surreptitiously to devices, giving them good reviews as part of an advertising fraud scam.
Gooligan, the Money Making Behemoth
Gooligan the worst data breach of Google accounts on record and has installed itself on over 2 million apps since the campaign began in August. At the moment, it doesn’t seem that the attackers are actually doing anything with the stolen data — their main goal seems to lie in the ads scam, which has so far netted them over $320000. A month.
There are a few lessons to be gleaned from the Gooligan breach, most of which should be no brainers. But since over 2 million devices have been affected so far, it seems that there are a whole bunch of people who use their devices with less intellect than they should. As we see time and time again, mobile devices, with our most sensitive information stored on them, can be breached pretty easily, if users aren’t careful. Here are some takeaways:
- Patch and update as soon as patches are released, this goes for mobile devices and computer OSs as well.
- Never, never download apps outside the official app stores. If you do, you’re asking for trouble.
- Don’t download apps based on customer reviews alone, they may very well be faked.
- Keep away from shady links in text messages, they might just harbor malware.
Google and Check Point are working to fix the issue but in the fractured mess that is the Android OS, things like this are often on the rise. Keep your eyes open and download with caution.