Check if your Android Phone is infected by Gooligan malware

Researchers from Cyber security vendor Check Point Software Technologies announced on Wednesday that they have discovered a breach of more than 1 million Google accounts in an attempt by hackers to steal data from mobile devices. Check Point also said that figure is increasing — as many as 13,000 new infections each day as users continue to download infected applications.

What is Gooligan and Who are affected?

A new malware variant called Gooligan infects more than a million Android devices running older Android versions 4 and 5 — that includes Jelly Bean, KitKat, and Lollipop, and those devices make up nearly 75% of Android users.

According to the research, a device infected by Gooligan is potentially granting access to data stored in any of Google’s applications including Google Docs, Google Drive, Google Photos, Gmail and Google Play. The majority of infected accounts, 57% are in Asia, 19% of accounts coming from the Americas, 9% are in Europe and 15% are in Africa.

gooligan malware infographic by check point
How Gooligan works Image Credit: Check Point

In a blog post published Wednesday morning, Check Point researchers wrote:

The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device. Our research team has found infected apps on third-party app stores, but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages. After an infected app is installed, it sends data about the device to the campaign’s Command and Control (C&C) server.

Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153). These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.

After achieving root access, Gooligan downloads a new, malicious module from the C&C server and installs it on the infected device. This module injects code into running Google Play or GMS (Google Mobile Services) to mimic user behavior so Gooligan can avoid detection, a technique first seen with the mobile malware HummingBad. The module allows Gooligan to:

  • Steal a user’s Google email account and authentication token information
  • Install apps from Google Play and rate them to raise their reputation
  • Install adware to generate revenue

Ad servers, which don’t know whether an app using its service is malicious or not, send Gooligan the names of the apps to download from Google Play. After an app is installed, the ad service pays the attacker. Then the malware leaves a positive review and a high rating on Google Play using content it receives from the C&C server.

gooligan-growing-threat

Check Point said it believes this is the “largest Google Account breach to date” and said it has alerted Google to the problem. “We’re appreciative of both Check Point’s research and their partnership as we’ve worked together to understand these issues,” Google’s director of Android security Adrian Ludwig told the researchers. “As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall.”

How do I know if I am infected?

Check Point has offered a free online tool for affected users to check if their Google account has been infected, visit https://gooligan.checkpoint.com/.

I’m infected what should I do now?

If your mobile device infected, do the following:

  1. A clean installation of Android operating system on your mobile device is required. The process is called flashing, which is a technical thing so we recommend you find a certified technician or go to your mobile service provider to re-flash your device.
  2. Change your Google (gmail) passwords immediately.

Beware of the following fake apps infected by Gooligan

  • Perfect Cleaner
  • Demo
  • WiFi Enhancer
  • Snake
  • gla.pev.zvh
  • Html5 Games
  • Demm
  • memory booster
  • แข่งรถสุดโหด
  • StopWatch
  • Clear
  • ballSmove_004
  • Flashlight Free
  • memory booste
  • Touch Beauty
  • Demoad
  • Small Blue Point
  • Battery Monitor
  • 清理大师
  • UC Mini
  • Shadow Crush
  • Sex Photo
  • 小白点
  • tub.ajy.ics
  • Hip Good
  • Memory Booster
  • phone booster
  • SettingService
  • Wifi Master
  • Fruit Slots
  • System Booster
  • Dircet Browser
  • FUNNY DROPS
  • Puzzle Bubble-Pet Paradise
  • GPS
  • Light Browser
  • Clean Master
  • YouTube Downloader
  • KXService
  • Best Wallpapers
  • Smart Touch
  • Light Advanced
  • SmartFolder
  • youtubeplayer
  • Beautiful Alarm
  • PronClub
  • Detecting instrument
  • Calculator
  • GPS Speed
  • Fast Cleaner
  • Blue Point
  • CakeSweety
  • Pedometer
  • Compass Lite
  • Fingerprint unlock
  • PornClub
  • com.browser.provider
  • Assistive Touch
  • Sex Cademy
  • OneKeyLock
  • Wifi Speed Pro
  • Minibooster
  • com.so.itouch
  • com.fabullacop.loudcallernameringtone
  • Kiss Browser
  • Weather
  • Chrono Marker
  • Slots Mania
  • Multifunction Flashlight
  • So Hot
  • Google
  • HotH5Games
  • Swamm Browser
  • Billiards
  • TcashDemo
  • Sexy hot wallpaper
  • Wifi Accelerate
  • Simple Calculator
  • Daily Racing
  • Talking Tom 3
  • com.example.ddeo
  • Test
  • Hot Photo
  • QPlay
  • Virtual
  • Music Cloud

Friendly Advice

To avoid this kind of malware (or similar kind), you should:

  • only download from the Google Play store or trusted sources only,
  • not install random apks downloaded online,
  • be cautious when clicking on links that could be phishing attempt, and
  • make sure you’ve running an updated security software on your device (usually will come pre-installed when you buy a new device).