Photo: Google

Over 1 million Google accounts compromised thanks to old Android software

Bradley Wint
By - Founder/Executive Editor
Nov 30, 2016 10:37pm AST
Photo: Google

Over 13,000 Google accounts are being compromised on a daily basis thanks to outdated Android software, according to Check Point, a software security firm.

They documented over 1 million cases of infections as part of a huge malware campaign called Gooligan. First discovered in August 2016, the script uses phishing techniques to install infected software, giving hackers access to users’ Google accounts. As a result, they would then be granted access to G Suite, GMail, and other Google related apps like the Play Store, Photos, Drive, and Docs.

How it works

Gooligan is actually quite a complex piece of software. First, the hackers hide the infected code in bogus, free lookalike apps hosted on third-party Android app stores (anything outside of Google Play). These apps tend to be ‘free’ versions of premium apps on the Play Store.

The software targets older devices running Jellybean, KitKat, and Lollipop by exploiting well known vulnerabilities which can allow for super user access. As versions 4 and 5 of Android account for about 70+% of active devices (according to Google), there is a huge target market for hackers to work with.

Google has since patches these vulnerabilities in later iterations of Android, but fragmentation plays a big role here as not all devices receive the relevant security patches. This is dependent on factors like the brand name, model, and mobile carrier, meaning that a lot of phones on the market are still at serious risk of being taken over.

Getting back to the story, once Gooligan compromises a device, it then sends data back to a Command and Control (C&C) server with details about the phone’s software specs and potential exploits.

The server then responds by transferring a rootkit to the infected phone, allowing the hackers to remotely and automatically take control of the device by rooting it.

Once rooted, the server then carries out more instructions, including:

  • Masking itself from Google Play and Google Mobile Services (to avoid intrusion detection)
  • Stealing the user’s Google email account and authentication token information
  • Installing legitimate apps from the Play Store developed by the hackers and giving them positive ratings (to increase their rank in the popular charts)
  • Generating bogus ad revenue

Regarding ad revenue, once the legitimate apps are installed, the software runs them automatically to generate earnings on displayed ads, which would then be paid to the hackers. As these apps really do not violate any of Google Play’s terms and conditions (since they are not responsible for the infection), ad serving companies are none the wiser to their real intent.

If you’re curious to find out whether your Google account has been compromised, Check Point has a tool located at that can be used to check whether your email is on the list.

How to remove Gooligan malware

If your account was compromised, it is suggested that you go through the full works.

On your Google account side of things, do the obvious such as changing your password, setting up two-factor authentication and changing your alternate email address. As the malware uses token authentication to access your Google apps, you will need to flash your phone’s recovery software and operating system. Also, you would need to reconfigure the phone’s root privileges. A simple factory reset won’t be enough to fix the issue.

For a non-savvy users, it may be a simple case of upgrading to a newer handset, preferably one not locked to a carrier. That’s why I always recommend using Nexus (and now Pixel) devices, as they receive regular security updates.

How can this be avoided in the future?

One advantage Android has over iOS is its ability to be easily customize it without much hassle, but with that extended freedom, comes the potential of more loopholes that can be exploited. There are a few things you can to do to stay protected though.

  • Only download trusted applications from the Play Store
  • Avoid sketchy apps, and do external research if you are not sure about an app’s credibility
  • Always keep your phone’s OS up-to-date
  • If your carrier or manufacturer limits updates, consider purchasing a newer phone that receives more frequent software update. If you have enough technical expertise, consider installing an open source version of Android with a good community backing.

Unfortunately, until Google finds a way to bring as many users onto newer versions of Android such as Marshmallow (and above), Gooligan will always be out there in the wild, waiting for unsuspecting targets to attack.

However, Google and Check Point are working together to mitigate some of the issues by closing as many holes as possible, including shutting down bogus apps hosted on the Android Play Store being used to generate unsolicited revenue.

Have your say

Comments are closed.

Stay in check with our daily burst of news stories delivered to your inbox.

Read more

Up to 40,000 OnePlus customers have their credit card details exposed in data breach

Privacy/Security - If you’ve recently purchased something via the OnePlus website, you may need to regularly check your credit card statement as…

By - Jan 19, 2018 5:04pm AST

The 9 best vlogging cameras for 2018

Entertainment - Even with the YouTube apocalypse, vlogging is still a huge deal. Last year we talked about some of the top…

By - Jan 19, 2018 1:42am AST

YouTube and Facebook pull Tide Pod Challenge videos because people are stupid

Social Media - It’s a new year and people are already doing dumb things for their 15 minutes of internet fame. Both Facebook…

By - Jan 18, 2018 11:10pm AST

Apple will soon allow you to disable battery management software on older iPhones

Mobile - After a wave of mounting criticism, lawsuits, and PR statements, Tim Cook has announced that users will now have the…

By - Jan 18, 2018 3:21am AST

7 things the media gets wrong about air travel and aviation

Travel - When there is ‘trouble’ in the sky, there tends to be ‘trouble’ with the reporting as well. Many news agencies,…

By - Jan 18, 2018 1:47am AST

Apple issues iOS 11.2.2 to address Spectre vulnerability

Mobile - In the wake of the industry-wide Spectre and Meltdown chip flaws, Apple has issued a security update for iOS 11…

By - Jan 8, 2018 2:55pm AST

Social media “Fear Of Missing Out” detrimental to our mental well-being

Science/Space - Human beings generally see themselves in the best light possible compared to others. This psychological phenomenon is called illusory superiority….

By - Jan 2, 2018 11:50pm AST

Passengers on Hawaiian Airlines flight celebrate New Year’s Day twice due to delay

Travel - Passengers on board a Hawaiian Airlines flight from Auckland, New Zealand to Honolulu, Hawaii were able to celebrate New Year’s…

By - Jan 1, 2018 11:13pm AST

LG shows off world’s first 88-inch 8K OLED display for CES 2018

Technology - LG is stepping up the display game with the unveiling of a world first 88-inch, 8K OLED display. When compared…

By - Jan 1, 2018 10:33pm AST

How to fix Samsung Galaxy Note 8 charging issues

Technology - Some Samsung Galaxy Note 8 customers have run into a peculiar situation where their phones refuse to charge after being…

By - Jan 1, 2018 12:31am AST