- December 1st, 2016
Gooligan is the latest malware attack that has breached the security of over one million Google accounts, and continues to breach an additional 13,000 devices every day. This form of malware can root an infected Android device, and steal authentication tokens that can be utilized to access data from Google Play, Gmail, Google Drive, Google Docs, Google Photos, G Suite, and more. This malware has the capability to root Android devices and steal email addresses, photos, documents and personal information including authentication tokens stored on the device.
How Does Gooligan Work?
After an infected app is installed on the Android device, whether by installing a malicious app on a third-party app store, or downloading an app from a malicious link in a phishing scam, the infected app is installed and sends data about the device to the malware campaign’s Command and Control server. A rootkit is then downloaded from the C&C server onto the device, giving the hacker full control of the device and its data remotely.
Not only does this give hackers access and control, but it also allows them to steal authentication tokens. The main purpose of authentication tokens is for Google to authorize users and give them access to all Google services. Two-factor authentication is one of the security mechanisms implemented which prevents hackers from compromising accounts. However, a stolen authentication token bypasses this security mechanism and allows the hacker to access the users account since it is seen as already being logged in.
Who is Affected?
In the research conducted by Check Point security research teams, it was discovered that Gooligan affects Android 4 and 5 devices, which is over 74% of devices on the market. Infected devices were breached due to fake applications that were downloaded from third-party app stores or through phishing scams. It is recommended to view your device’s application list in ‘Settings – Apps’ to determine if you have downloaded one of the malicious applications onto your device.
You can check online to see if your Google account has been compromised by accessing the Gooligan Checker. All you have to do is enter your email address, and you will find out whether your account has been breached.
What to Do if You’ve Been Affected?
Google is taking numerous steps to protect their users and improve Android security by notifying affected accounts, revoking affected tokens and deploying SafetyNet improvements to protect users from these malicious apps in the future.
If your account has been breached, the following steps are recommended:
- Approach a certified technician or your mobile service provider to perform a clean installation of your operating system
- Change your passwords to all of your Google accounts
How to Avoid Gooligan?
It is highly recommended to avoid downloading mobile applications from third-party app stores even if they look legitimate, and even though they appear to be cheaper than some apps in Google Play. The security of these stores and the apps they sell are not always verified or secure. It is also recommended that you equip your device with a mobile security application. It will be able to detect if your safety has been compromised and protect you from malicious apps, and operating system attacks.
Gooligan is the largest Google account breach to date, and it’s affecting over 13,000 more devices each day. Check to see if you have downloaded a malicious application, and also determine whether your Google account has been compromised. Remain vigilant in avoiding third-party app stores, and get mobile security protection for your device to ensure you’re secure against phishing scams and operating system attacks.