A newly discovered malware program that targets older versions of the Android OS has infected roughly 1.3 million Google accounts, currently breaching devices at a clip of 13,000 victims per day, according to researchers at Check Point Software Technologies.
The malware, dubbed Gooligan, is a substantially evolved variant of the Ghost Push trojan that as recently as October was reported to root Android phones running on Lollipop and earlier versions. Gooligan roots phones as well, Check Point explained in a Wednesday blog post, but in the process steals Google authorization tokens, potentially allowing attackers to hijack and steal data from a host of Google services including Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive and more.
However, it appears so far that the Gooligan attackers are not actually leveraging the malware data-stealing capabilities; instead, they have concentrated their efforts on generating ill-gotten profits via ad fraud operations, whereby infected phones automatically click on advertisements that download unwanted applications. Indeed, logs collected by Check Point reveal that on a daily basis Gooligan installs at least 30,000 apps on breached devices, or 2 million altogether since the campaign began last August.
Michael Shaulov, head of products, mobile and cloud security at Check Point, told SC Media in an interview on Wednesday that the attackers may be leveraging Gooligan in this limited fashion because they are likely a “commercial company, probably originating from China,” that adheres to a “very strict business model.”
In that sense, the perpetrators have seemingly modeled themselves after the cybercriminal organization responsible for propagating HummingBad, another malware that roots Android devices for ad fraud purposes. According to a separate Check Point report released in July, HummingBad is attributed to a criminal division operating within an otherwise legitimate Chinese tech company called Yingmob. Gooligan's distributors, Shaulov concluded, may conduct their underhanded business under similar circumstances and restrictions. “It's hard to imagine a commercial entity would by itself completely change its business model” and begin stealing data, he added, noting that the malware nevertheless remains dangerous because of its capabilities.
Where Gooligan differs from HummingBad is how it actually compromises Google accounts. Upon infection, the malware connects with a command-and-control server and downloads a rootkit that capitalizes on several Android exploits including VROOT and Towelroot. If the malware successfully roots the phone, it essentially takes control, downloading a new malicious module that infects code into Google Play or Google Mobile Services “to mimic user behavior so Gooligan can avoid detection,” the blog post explains.
“Several Ghost Push variants use publicly known vulnerabilities that are unpatched on older devices to gain privileges that allow them to install applications without user consent. In the last few weeks, we've worked closely with Check Point… to investigate and protect users from one of these variants,” commented Adrian Ludwig, director of Android Security at Google, in his own online post.
Ludwig assured readers that there is currently no evidence that the hackers accessed user's Google data. “The motivation behind Ghost Push is to promote apps, not steal information, and that held true for this variant,” wrote Ludwig in his post, also noting that there was no sign that any specific users are being targeted in the campaign.
Once it compromises Google, the malware can then steal the user's Google email account and authorization token information, as well as install unwanted apps and adware. Leveraging users' compromised Google accounts, the attackers can even create fake reviews and assign high ratings to these unwanted apps in order to convince other mobile users to download the programs. “Potentially, this process is automated because all the comments look the same” on the app's review page, said Shaulov. (Amusingly, noted Shaulov, mixed in with the phony laudatory comments are several one-star reviews in which infected users wrote something along the lines of “What the hell this app doing on my phone? I never downloaded it!”)
According to the report, the only way to fix an infected phone is to take it to a certified technician or mobile service provider and have it re-flashed. Users would then need to change all of their Google account passwords.
Gooligan is delivered primarily via untrustworthy third-party app store downloads and phishing campaigns. It affects devices running on Android 4 (Jelly Bean and KitKat) and 5 (Lollipop), which together compromises about 73 percent of in-market Android devices today. Of the 1 million breached Google accounts cited in the Check Point report (that number was subsequently revised to 1.3 million), 57 percent are located in Asia, and 19 percent are based in America. (Africa is home to 15 percent of the breached Google accounts, while Europe has nine percent.) Some of the breached accounts are corporate in nature, Shaulov confirmed.
Aaron Lint, VP of research for mobile apps protection firm Arxan Technologies, said that this latest campaign should serve as a warning to mobile app providers that they must safeguard against malware that downloads or advertises their programs fraudulently, potentially hurting their reputations in the process.
"This malware… speaks to the importance of validating the mobile environment your applications run on. Your applications have a leg up if they can detect when rooting exploits have applied, causing the end user to be more susceptible to fraud and loss,” said Lint. “Having that telemetry in your application can permit your risk prevention measures to be aware of users which have these compromised devices. Your business can respond with extra monitoring, password and credential revocation, or even notifying your customers that they are at risk."
Based on a data dump it uncovered during its investigation, Check Point has set up a website for users to look up their email addresses to determine if their Google accounts were breached.