Android, Google, Gooligan and you…

Posted: December 14, 2016 in Security
Tags: , , , , , ,

Chuck Talking Tech / by Chuck Bienenfeld

December 14, 2016

As many of you may already be aware, there is a new malware campaign called Gooligan.  This is a rootkit identified by the security researchers at Check Point that in part steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite and Google Drive.  Moreover Gooligan can be even more frightening.  This involves its ability to install other applications even ones from the Google Play store, serve up additional adware and provide 5 star ratings to applications that bought in.

This appears to affect Android 4 (Jelly Bean and KitKat) and 5 (Lollipop).  Unfortunately this covers 74% of Android devices in the market.  Note: not affected and the current release of Android – 7 (Nougat) and the previous release 6 (Marshmallow).

How does it get on your phone?  The malware code in included in applications found in 3rd party Android app stores (see appendix A on the Check Point blog for a full list of known affected application).   There has not been evidence found of application installed through the Google Play store being affected.  There is also evidence of phishing scams being used to trick users into clicking links and in some cases it is via SMS or other messaging services.

Check Point found that after the affected application is installed it sends data about the device to the command and control server.  After which Gooligan downloads a rootkit that takes advantage of a couple well known Android exploits.  If those exploits were not patched either by the device manufacturer or the service provider (which does not happen on a regular basis in the platform) the attacker has full control of the device. To check if your account has been breach you can use the “Have you been breached” site setup by Check Point.  Suggestions provided by Check Point if your account has been breach include:

  1. A clean installation of an operating system on your mobile device is required (a process called “flashing”). As this is a complex process, we recommend powering off your device and approaching a certified technician, or your mobile service provider, to request that your device be “re-flashed.”
  2. Change your Google account passwords immediately after this process.

For those interested the Check Point write up provides a in depth look at Gooligan and its presence around the world.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s