Gooligan hooligans have compromised at least one million Google accounts

Quite possibly the largest Google account breach to date.

Gooligan hooligans have compromised at least one million Google accounts

Attackers are using an Android malware campaign known as Gooligan to target Android users and breach the security of their Google accounts.

So far, the malicious hackers have compromised one million Google accounts, but each day, they hack an additional 13,000 devices.

Info 3 revised 11 29 copy 1 768x512

A Gooligan infection begins one of two ways. Android users might tap on a malicious link sent to them in a phishing email, or they could download a fake app from a third-party store.

Let's face it: there's no good that can come from apps with names like "Sex Photo," "com.example.ddeo," and "Test."

Upon successful infection, Gooligan sends data about the infected device to its command and control server. It's then that the malware gets down and dirty.

As the Check Point research team explains in a blog post:

"Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153). These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely."

But the attackers don't stop there. They download a module onto the device that injects code into Google Mobile Services so as to mimic user behavior and thereby avoid detection, something researchers observed first with Hummingbad.

The module grants attackers the ability to load up adware, download apps and positively rate them in an attempt to generate revenue, and steal a user's Google authorization token.

Gooligan2

An example of fake reviews and comments to one of the fraudulent applications. (Source: Check Point)

Wait... a Google authorization token? What's that?

It's essentially something that grants an actor access to a Google account and the related services of a user. An authorization token allows someone to bypass two-step verification (2SV) and other measures that might be protecting a user's account to access their Google Drive, Gmail, and other parts of their Google identity.

In other words, if you steal someone's Google authorization token, you gain complete control over their account.

Check Point doesn't mince its words when evaluating the seriousness of this campaign:

"Gooligan has breached over a million Google accounts. We believe that it is the largest Google account breach to date, and we are working with Google to continue the investigation. We encourage Android users to validate whether their accounts have been breached."

Info 2 revised 11 23 16 copy 768x512

Users can check to see if Gooligan compromised their Google accounts by visiting https://gooligan.checkpoint.com/. If your account is affected, you should install a clean version of the Android operating system onto your phone, and then change your Google password.

Gooligan likes to hang around third-party app marketplaces, so in general, Android users might be safer downloading their apps only from the Google Play Store and should never click on suspicious links.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , , ,

4 Responses

  1. Bob

    December 1, 2016 at 5:40 pm #

    Not a week goes by without us hearing about another serious Android vulnerability.

    I wish Google would get their act together and secure their OS and Play Store.

    Bad security affects everybody.

    • Matthew in reply to Bob.

      December 2, 2016 at 5:43 pm #

      This attack has nothing to do with their store. And it is the carriers and OEMs who fail to make patches available to end users.

      • Bob in reply to Matthew.

        December 2, 2016 at 8:35 pm #

        Matthew, I'm referring generally to Google's lax attitude towards Android security.

        There are many pieces of malware lurking in the Play Store which have been the feature of successful infection campaigns.

        It is carriers and OEMs who delay the rollout of patches however sometimes Google themselves delay the release.

        Full disk encryption is a relatively new concept having been present in iOS and Blackberry devices for years. Hell, not all new Androids fully support encryption.

    • Spryte in reply to Bob.

      December 2, 2016 at 6:24 pm #

      I have to agree.
      We use these devices everyday from playing solitaire to banking and investing our hard earned money.
      The big G needs to ensure that the apps we use to do all of these things are safe and secure to use. Even to the point of testing the apps and if there is an issue reaching out to the developers and telling them what is wrong or where there are deficiencies.

      After all they know ***everything*** don't they? ;)

Leave a Reply