Over a million devices have already been affected by an Android malware named Gooligan, which compromises Google account data on these devices, giving the attacker access to user’s Gmail, Google Photos, Google Docs, Google Play, Google Drive and other Google related applications.
According to researchers from Check Point Software Technologies, an Israel-based security firm, this malware has been found in 86 apps on the third party marketplaces.
Gooligan malware has infected more than a million devices in the past few months and 13,000 new devices are being infected every single day.
Once a user downloads any of these apps, the malware roots the device and gains system access to the device, allowing the attacker to phish credentials of the user’s Google accounts.
Devices running on Google’s Android 4 (Ice Cream Sandwich, Jellybean and KitKat) and Android 5 (Lollipop), which account for 74 percent of total Android users, are in threat of being affected by Gooligan.
“We’ve revoked affected users’ Google Account tokens, providing them with clear instructions to sign back in securely, removing apps related to this issue from affected devices, deploying enduring Verify Apps improvements to protect users from these apps in the future and collaborating with ISPs to eliminate this malware altogether,” Adrian Ludwig, Google’s director of Android security stated in a post.
Check if Your Device is Infected
If you’ve been downloading apps from outside the official Google Play Store, then you should access Check Point Software Technologies gateway. It’s easy, just enter your email ID that’s linked with your Android device and it’ll instantly give you a feedback.
57% of the total infected devices are located in Asia, 19% in Americas, 15% in Africa and 9% in Europe.
If you wish to personally identify if you haven’t downloaded any app infected by Gooligan, check out the list of apps that carry the malware and delete them as soon as possible to avoid further damage.
If your device is infected, it’ll require ‘flashing’ — a clean installation of the operating system.
This is a complex process and it is recommended that you switch off your device and take it to a qualified technician and request your device to be ‘re-flashed.
After the ‘re-flashing’ is done, you’ll need to change your Google account passwords. It is recommended that you don’t use third-party marketplaces to download Android app as any such app can be a potential threat to your device.
How Gooligan Affects Your Device
As per the findings of Check Point Software Technology’s researchers, “after achieving root access, Gooligan downloads a new, malicious module from the C&C server and installs it on the infected device. This module injects code into running Google Play or GMS (Google Mobile Services) to mimic user behaviour so Gooligan can avoid detection. ”
The module allows Gooligan to:
Steal a user’s Google email account and authentication token information
Install apps from Google Play and rate them to raise their reputation
Install adware to generate revenue
“Nicknamed ‘Gooligan’, this variant used Google credentials on older versions of Android to generate fraudulent install of other apps,” Adrian Ludwig added.
Basically, the attacker can access and use an infected device’s Google accounts after gaining root access to the device using Gooligan malware. Beware of third party marketplaces as they aren’t verified by Google before you download it, as it happens on Google Play, and might carry some other malware if not Gooligan.