Over 1 million Google accounts compromised thanks to old Android software

Bradley Wint
Nov 30, 2016 10:37pm AST
Photo: Google

Over 13,000 Google accounts are being compromised on a daily basis thanks to outdated Android software, according to Check Point, a software security firm.

They documented over 1 million cases of infections as part of a huge malware campaign called Gooligan. First discovered in August 2016, the script uses phishing techniques to install infected software, giving hackers access to users’ Google accounts. As a result, they would then be granted access to G Suite, GMail, and other Google related apps like the Play Store, Photos, Drive, and Docs.

How it works

Gooligan is actually quite a complex piece of software. First, the hackers hide the infected code in bogus, free lookalike apps hosted on third-party Android app stores (anything outside of Google Play). These apps tend to be ‘free’ versions of premium apps on the Play Store.

The software targets older devices running Jellybean, KitKat, and Lollipop by exploiting well known vulnerabilities which can allow for super user access. As versions 4 and 5 of Android account for about 70+% of active devices (according to Google), there is a huge target market for hackers to work with.

Google has since patches these vulnerabilities in later iterations of Android, but fragmentation plays a big role here as not all devices receive the relevant security patches. This is dependent on factors like the brand name, model, and mobile carrier, meaning that a lot of phones on the market are still at serious risk of being taken over.

Getting back to the story, once Gooligan compromises a device, it then sends data back to a Command and Control (C&C) server with details about the phone’s software specs and potential exploits.

Get your daily tech burst in your inbox!

The server then responds by transferring a rootkit to the infected phone, allowing the hackers to remotely and automatically take control of the device by rooting it.

Once rooted, the server then carries out more instructions, including:

  • Masking itself from Google Play and Google Mobile Services (to avoid intrusion detection)
  • Stealing the user’s Google email account and authentication token information
  • Installing legitimate apps from the Play Store developed by the hackers and giving them positive ratings (to increase their rank in the popular charts)
  • Generating bogus ad revenue

Regarding ad revenue, once the legitimate apps are installed, the software runs them automatically to generate earnings on displayed ads, which would then be paid to the hackers. As these apps really do not violate any of Google Play’s terms and conditions (since they are not responsible for the infection), ad serving companies are none the wiser to their real intent.

If you’re curious to find out whether your Google account has been compromised, Check Point has a tool located at https://gooligan.checkpoint.com/ that can be used to check whether your email is on the list.

How to remove Gooligan malware

If your account was compromised, it is suggested that you go through the full works.

On your Google account side of things, do the obvious such as changing your password, setting up two-factor authentication and changing your alternate email address. As the malware uses token authentication to access your Google apps, you will need to flash your phone’s recovery software and operating system. Also, you would need to reconfigure the phone’s root privileges. A simple factory reset won’t be enough to fix the issue.

For a non-savvy users, it may be a simple case of upgrading to a newer handset, preferably one not locked to a carrier. That’s why I always recommend using Nexus (and now Pixel) devices, as they receive regular security updates.

How can this be avoided in the future?

One advantage Android has over iOS is its ability to be easily customize it without much hassle, but with that extended freedom, comes the potential of more loopholes that can be exploited. There are a few things you can to do to stay protected though.

  • Only download trusted applications from the Play Store
  • Avoid sketchy apps, and do external research if you are not sure about an app’s credibility
  • Always keep your phone’s OS up-to-date
  • If your carrier or manufacturer limits updates, consider purchasing a newer phone that receives more frequent software update. If you have enough technical expertise, consider installing an open source version of Android with a good community backing.

Unfortunately, until Google finds a way to bring as many users onto newer versions of Android such as Marshmallow (and above), Gooligan will always be out there in the wild, waiting for unsuspecting targets to attack.

However, Google and Check Point are working together to mitigate some of the issues by closing as many holes as possible, including shutting down bogus apps hosted on the Android Play Store being used to generate unsolicited revenue.

Stay in the know

Subscribe to the Try Modern Tech Daily Digest for the latest tech news stories, deals, and how-to's in your inbox!

Founder/Executive Editor
PGP Fingerprint: EF2C 9B80 085C C837 3DA3 995D A864 F801 147F E619 | PGP Key
More From Technology

You can pre-order your gold-plated iPhone X starting at $7,495, with the top model costing $70k

By - Sep 11, 2017 11:06pm AST
With the iPhone X and 8 set to be announced on the 12th, iPhone accessory manufacturers are already busy at work putting the final touches on their cases and other… Continue Reading

Half of U.S. population’s data exposed in huge Equifax data breach

By - Sep 8, 2017 12:39am AST
Equifax, a US-based credit reporting agency, has confirmed that sensitive consumer data belonging to over 143 million customers was compromised earlier this year. According to the official press release, hackers… Continue Reading

YouTube-MP3.org closes under legal pressure

By - Sep 6, 2017 11:42pm AST
Popular stream ripping site YouTube-MP3.org, will finally close its doors after being slammed with a legal complaints by 15 of the top global record labels. The site which allows you… Continue Reading