Israeli cybersecurity firm CheckPoint has discovered a new form of Android malware – Gooligan – that is spreading at an alarming rate. A Gooligan malware infection potentially gives attackers access to Google accounts and the data stored in Gmail, Google Drive, Google Photos, Google Play, G Suite and Google Docs. on their device.
Already, more than 1.3 million Google accounts have potentially been compromised as a result of a Gooligan malware infection. Around 13,000 new devices are being compromised every day. Checkpoint researchers said “We believe that it is the largest Google account breach to date.”
Gooligan malware is spread via malicious applications that are downloaded from a host of third-party app stores. The apps look legitimate, although a download will result in a Gooligan malware infection. To date, Checkpoint has identified 86 malicious apps that are spreading the malware.
The latest versions of the Android platform are immune to attack, although owners of devices running Lollipop and older versions of the Android platform are at risk.
The malware is able to root infected devices allowing attackers to gain full control of infected phones. The malware allows attackers to steal Google authentication tokens giving them access to the full range of Google services, although at this stage the attackers are concentrating on generating money via ad fraud.
The malware clicks on adverts and downloads applications to infected devices. According to Checkpoint, more than 30,000 applications are being downloaded every day and more than 2 million have been downloaded to date since the malware was released.
Checkpoint believes the distributor of Gooligan is likely to be a Chinese company that is operating on a “very strict business model.” While access to Google accounts could be gained and data stolen, it is believed those capabilities are not being exploited. Checkpoint believes the company is following the business model used by the distributors of HumminBad malware. HumminBad malware has been linked to a criminal division within the Chinese tech firm Yingmob.
Gooligan is an evolved version of the Android malware Ghost Push. According to Adrian Ludwig, director of Android Security at Google, “The motivation behind Ghost Push is to promote apps, not steal information, and that held true for this variant.” However, the malware is particularly dangerous due to its extensive range of capabilities.
How to Check for a Gooligan Malware Infection
Checkpoint has released an online tool that enables Android users to check to see if their Google account has been breached and their device compromised.
To avoid infection, apps should not be downloaded from third party app stores, which often fail to verify apps before allowing users to download them from their stores.