Over 13,000 Google accounts are being compromised on a daily basis thanks to outdated Android software, according to Check Point, a software security firm.
They documented over 1 million cases of infections as part of a huge malware campaign called Gooligan. First discovered in August 2016, the script uses phishing techniques to install infected software, giving hackers access to users’ Google accounts. As a result, they would then be granted access to G Suite, GMail, and other Google related apps like the Play Store, Photos, Drive, and Docs.
Gooligan is actually quite a complex piece of software. First, the hackers hide the infected code in bogus, free lookalike apps hosted on third-party Android app stores (anything outside of Google Play). These apps tend to be ‘free’ versions of premium apps on the Play Store.
The software targets older devices running Jellybean, KitKat, and Lollipop by exploiting well known vulnerabilities which can allow for super user access. As versions 4 and 5 of Android account for about 70+% of active devices (according to Google), there is a huge target market for hackers to work with.
Google has since patches these vulnerabilities in later iterations of Android, but fragmentation plays a big role here as not all devices receive the relevant security patches. This is dependent on factors like the brand name, model, and mobile carrier, meaning that a lot of phones on the market are still at serious risk of being taken over.
Getting back to the story, once Gooligan compromises a device, it then sends data back to a Command and Control (C&C) server with details about the phone’s software specs and potential exploits.
The server then responds by transferring a rootkit to the infected phone, allowing the hackers to remotely and automatically take control of the device by rooting it.
Once rooted, the server then carries out more instructions, including:
Regarding ad revenue, once the legitimate apps are installed, the software runs them automatically to generate earnings on displayed ads, which would then be paid to the hackers. As these apps really do not violate any of Google Play’s terms and conditions (since they are not responsible for the infection), ad serving companies are none the wiser to their real intent.
If you’re curious to find out whether your Google account has been compromised, Check Point has a tool located at https://gooligan.checkpoint.com/ that can be used to check whether your email is on the list.
If your account was compromised, it is suggested that you go through the full works.
On your Google account side of things, do the obvious such as changing your password, setting up two-factor authentication and changing your alternate email address. As the malware uses token authentication to access your Google apps, you will need to flash your phone’s recovery software and operating system. Also, you would need to reconfigure the phone’s root privileges. A simple factory reset won’t be enough to fix the issue.
For a non-savvy users, it may be a simple case of upgrading to a newer handset, preferably one not locked to a carrier. That’s why I always recommend using Nexus (and now Pixel) devices, as they receive regular security updates.
One advantage Android has over iOS is its ability to be easily customize it without much hassle, but with that extended freedom, comes the potential of more loopholes that can be exploited. There are a few things you can to do to stay protected though.
Unfortunately, until Google finds a way to bring as many users onto newer versions of Android such as Marshmallow (and above), Gooligan will always be out there in the wild, waiting for unsuspecting targets to attack.
However, Google and Check Point are working together to mitigate some of the issues by closing as many holes as possible, including shutting down bogus apps hosted on the Android Play Store being used to generate unsolicited revenue.