Security firm Check Point released information about malware dubbed “Gooligan,” which can steal your Gmail account and authentication information, install apps from Google Play, rate them without your consent, and install adware. The latter two is used to improve app store ratings and “generate revenue.”
The malware only infects devices when a user downloads and installs a “Gooligan-infected app” on a vulnerable Android device via a third-party app store or from malicious links — you’re fine if you only download from the Google Play Store and are using a newer Android device running Android 6.0 or higher.
“After an infected app is installed, it sends data about the device to the campaign’s Command and Control (C&C) server,” the research team writes in a blog post. “Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits … These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.”
Unfortunately, nearly 74 percent Android devices run Android 4.2 Jellybean, Android 4.4 KitKat, and Android 5.0 Lollipop.
Adrian Ludwig, director of Android security at Google, said his team has been tracking a family of malware called “Ghost Push” since 2014. Ghost Push is a collection of potentially harmful apps (PHAs) that are the “most often downloaded outside of Google Play.”
“After they are installed, Ghost Push apps try to download other apps. For over two years, we’ve used Verify Apps to notify users before they install one of these PHAs and let them know if they’ve been affected by this family of malware.”
Verify Apps is an Android feature that scans devices for security threats and Google said it found more than 40,000 apps associated with the malware in 2015. Now, the company says Android detects and prevents installations of more than 150,000 variants of Ghost Push. Gooligan is one such variant of Ghost Push and Ludwig said his team has “worked closely” with Check Point to protect users.
As the motivation for Ghost Push apps is to promote apps and generate revenue, Ludwig says Google has found no evidence that user data has been accessed. There is also no evidence that a specific group of users or businesses were targeted. Google says it has improved the Verify Apps feature to protect users from these apps in the future — even if you try to install an infected app, your device will notify you and stop the installation. The search giant is also continually removing apps associated with the Ghost Push family on Google Play, as well as apps that have “benefitted from installs delivered by Ghost Push to reduce the incentive for this type of abuse.”
Google urges users to download apps from the Google Play Store so as to reduce the threat of installing a malicious app. For those accounts that have been compromised, Google has contacted users and revoked authentication tokens so that they can securely sign back in.
If you’re worried your account may be compromised, Check Point has a handy tool that lets you check. Just type in your email and hit “check” and the website will tell you if your account is safe or not.