Gooligan, an Android Malware, Affected More Than 1 Million Google Accounts

[Tech_Dreamer]

The name itself is a terror!

 

 

Researchers at security firm Compay called "CheckPoint Software Technologies"  have uncovered a new malware that has allegedly affected over a million andoid devices upto this day, The attack campaign, named Gooligan, breached the security of over one million Google accounts. The number continues to rise at an additional 13,000 breached devices each day. Gooligan strain has infected nearly 1.3 million Android phone since August.

 

The threat seems to be in a subtle nature, but still pretty harsh, taken they haven't breached into personal private files & used it as ransom , it seems a more pure ad revenue oriented attack like a p.u.p or p.h.a , the primary focus of the malware seems to be a massive advertising campaign

 

Quote

Researchers have said the malware affects devices going back to Jelly Bean, and as latest as Lollipop. Android 6 Marshmallow and Android 7 Nougat aren’t believed to be vulnerable to this malware family. However, thanks to sluggish Android adoption rate, at least 74% of all Android users are at risk, making up around 1.03 billion devices.

 

The module allows Gooligan to:

• Steal a user’s Google email account and authentication token information
• Install apps from Google Play and rate them to raise their reputation
• Install adware to generate revenue

 

Once installed, the infected apps root the devices to gain system access of devices. The rooted devices then download and install a software that steals authentication tokens. These tokens allow the attackers to access the user’s Google-related account without having to enter a password. The tokens work with a number of Google services, including Docs, Gmail, Drive, and Photos.

 

 

 

 

 

How does Gooligan work?

The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device. Our research team has found infected apps on third-party app stores, but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages.  After an infected app is installed, it sends data about the device to the campaign’s Command and Control (C&C) server.

 

Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153). These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.

 

After achieving root access, Gooligan downloads a new, malicious module from the C&C server and installs it on the infected device. This module injects code into running Google Play or GMS (Google Mobile Services) to mimic user behavior so Gooligan can avoid detection

 

 

Quote

the Android malware strain is believed to have earned as much as $320,000 a month

 

 

 

 

 

 

Quote

Gooligan. An aggressive variant of Ghost Push is feared to be responsible for the biggest single theft of Google accounts, recorded as yet.

 

 

Below shown are the 2 examples of reviews left by users who were also found on the attacker’s records as victims

 

 

 

User !

 

 

 

Quote

Check Point was able to trace the attackers’ servers, uncovering 1.3 million real Google accounts, with hundreds of business accounts having hit too. They also said that over 30,000 apps were being downloaded every day by the infected devices.

 

 

List of fake apps infected by Gooligan

• Perfect Cleaner
• Demo
• WiFi Enhancer
• Snake
• gla.pev.zvh
• Html5 Games
• Demm
• memory booster
• แข่งรถสุดโหด
• StopWatch
• Clear
• ballSmove_004
• Flashlight Free
• memory booste
• Touch Beauty
• Demoad
• Small Blue Point
• Battery Monitor
• 清理大师
• UC Mini
• Shadow Crush
• Sex Photo
• 小白点
• tub.ajy.ics
• Hip Good
• Memory Booster
• phone booster
• SettingService
• Wifi Master
• Fruit Slots
• System Booster
• Dircet Browser
• FUNNY DROPS
• Puzzle Bubble-Pet Paradise
• GPS
• Light Browser
• Clean Master
• YouTube Downloader
• KXService
• Best Wallpapers
• Smart Touch
• Light Advanced
• SmartFolder
• youtubeplayer
• Beautiful Alarm
• PronClub
• Detecting instrument
• Calculator
• GPS Speed
• Fast Cleaner
• Blue Point
• CakeSweety
• Pedometer
• Compass Lite
• Fingerprint unlock
• PornClub
• com.browser.provider
• Assistive Touch
• Sex Cademy
• OneKeyLock
• Wifi Speed Pro
• Minibooster
• com.so.itouch
• com.fabullacop.loudcallernameringtone
• Kiss Browser
• Weather
• Chrono Marker
• Slots Mania
• Multifunction Flashlight
• So Hot
• Google
• HotH5Games
• Swamm Browser
• Billiards
• TcashDemo
• Sexy hot wallpaper
• Wifi Accelerate
• Simple Calculator
• Daily Racing
• Talking Tom 3
• com.example.ddeo
• Test
• Hot Photo
• QPlay
• Virtual
• Music Cloud

 

 

 

Quote

“We’re appreciative of both Check Point’s research and their partnership as we’ve worked together to understand these issues,” said Adrian Ludwig, Google’s director of Android security. “As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall.”

 

 

The security firm urges Android users to validate whether their accounts have been breached & try to limit downloading of non verified 3rd party apps to your android devices

 

 

Check if You've been part of the Vulnerability over at there & entering you gmail id:

https://gooligan.checkpoint.com/

 

 

Did someone say e-mail?

 

 

If your account has been breached, the following steps are required:

1. A clean installation of an operating system on your mobile device is required (a process called “flashing”). As this is a complex process, we recommend powering off your device and approaching a certified technician, or your mobile service provider, to request that your device be “re-flashed.”
2. Change your Google account passwords immediately after this process.

 

Quote

The number continues to rise at an additional 13,000 breached devices each day.

                                                                                                                     -  Check Point

 

Android security engineer Adrian Ludwig said the team was working closely with Check Point to investigate the Android malware family and to protect users. Ludwig claimed there was no evidence data was accessed from the compromised accounts, adding that users would receive a warning when such a malware strain was detected on their devices.

 

Sources:

http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/

http://wccftech.com/1-million-google-accounts-hit-android-malware-gooligan/

 

 

[Guest]

TL:DR anyone?

[Sauron]

...Google is on the app list?

[Tech_Dreamer]

2 minutes ago, deXxterlab97 said:

TL:DR anyone?

Put your gmail account info here (secure site)

https://gooligan.checkpoint.com/

 

if they bump you follow up with device flashing & resetting & gmail account password change otherwise leave it as it is

 

[Tech_Dreamer]

4 minutes ago, Sauron said:

...Google is on the app list?

wait whut?

[Spork829]

5 minutes ago, deXxterlab97 said:

TL:DR anyone?

Versions of Android 5.0 and older are vulnerable to this which installs itself through fake apps and gains access to your Google account and carries out various moneygrab adware schemes. 

[PlayStation 2]

I can't say that I'm shocked.

[Spork829]

4 minutes ago, Tech_Dreamer said:

wait whut?

It's quite a weird list in general, a bunch of them have one word names like "Test"

[JoshB2084]

"Weather"??? But which one???
 

[SCHISCHKA]

28 minutes ago, Tech_Dreamer said:

Pedometer

a device for measuring pedos?

[laquine]

3 minutes ago, SCHISCHKA said:

a device for measuring pedos?

A pedometer is a step counter.

[Guest]

15 minutes ago, Tech_Dreamer said:

Put your gmail account info here (secure site)

https://gooligan.checkpoint.com/

 

if they bump you follow up with device flashing & resetting & gmail account password change otherwise leave it as it is

 

YOUR ACCOUNT WAS NOT BREACHED

[Guest]

So basically they know what porn I watch on daily weekly basis?

[Guest]

2 minutes ago, laquine said:

A pedometer is a step counter.

 

How many steps does a pedo is from you?

[SCHISCHKA]

1 minute ago, deXxterlab97 said:

So basically they know what porn I watch on daily weekly basis?

no they are delivering advertising and installing apps to bump up play store rankings

[DocSwag]

Ayyy I'm on Marshmallow  

[Drak3]

Just now, deXxterlab97 said:

So basically they know what porn I watch on daily weekly basis?

Don't lie, we all know that you have terrabytes of Smurfette in lingerie.

[Guest]

1 minute ago, SCHISCHKA said:

no they are delivering advertising and installing apps to bump up play store rankings

there is a list of site there

[Guest]

Just now, Drak3 said:

Don't lie, we all know that you have terrabytes of Smurfette in lingerie.

Sorry I don't recall Micro SD card has 1TB yet. Not on my phone, not on my budget

[Drak3]

1 minute ago, deXxterlab97 said:

Sorry I don't recall Micro SD card has 1TB yet. Not on my phone, not on my budget

Convenient excuse, but we can check your profile to find:

3TB of total HDD space!

[Guest]

Just now, Drak3 said:

Convenient excuse, but we can check your profile to find:

3TB of total HDD space!

HDD is for computer not for phone

[Drak3]

Just now, deXxterlab97 said:

HDD is for computer not for phone

Remote desktop is available on phones.

[Guest]

Just now, Drak3 said:

Remote desktop is available on phones.

Ok you win

[SpaceGhostC2C]

1 hour ago, Tech_Dreamer said:

Put your gmail account info here (secure site)

https://gooligan.checkpoint.com/

 

if they bump you follow up with device flashing & resetting & gmail account password change otherwise leave it as it is

 

So... Is this real, or chekpoint.com just want to collect massive amounts of gmail addresses?

[Tech_Dreamer]

7 minutes ago, SpaceGhostC2C said:

So... Is this real, or chekpoint.com just want to collect massive amounts of gmail addresses?

google blog stated they're working along with them , pretty sure if they wanted id's they got better ways than that ,