5 Things Solution Providers Should Know About Gooligan Malware

A Major Breach

Check Point Software Technologies Wednesday said its researchers discovered a new Android malware, called Gooligan, that has breached more than a million Android accounts. The news comes as Google has looked to ramp up the security of its Android OS, including now pushing automatic security updates. In a blog post about the discovery, Check Point called the Gooligan malware the "largest Google account breach to date" and shows a shift toward more mobile attacks.

"This theft of over a million Google account details is very alarming and represents the next stage of cyberattacks," said Michael Shaulov, Check Point's head of mobile products. "We are seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them." Here's the fast facts on what partners need to know.

Who Was Affected?

More than 1 million accounts were compromised by the Gooligan malware, Check Point said. It affects devices running Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which amounts to nearly 74 percent of total Android devices.

The attack also continues to grow, Check Point said, affecting 13,000 new devices each day and installing at least 30,000 apps on breached devices every day (more than 2 million to date).

How Does The Attack Work?

A device is infected when a user downloads an infected application onto their device or clicks a malicious link in a phishing email, Check Point said. Check Point said it has found traces of the malware on "dozens of legitimate-looking apps" on third-party app stores (it has compiled a list of known infected apps on its blog). It was first discovered in the malicious SnapPea backup application. Once infected, the malware sends data and device to a Command and Control server, downloads a rootkit and can then take full control of the device and execute commands, such as stealing an email account, authentication token information, installing apps, and installing adware. Check Point said it appears that attackers are funding the campaign by simulating clicks on app advertisements and leaving positive reviews and high ratings, leading to further app sales.

What Does It Give Hackers Access To?

The malware is intended to steal email addresses and authentication tokens that are located on Android devices, Check Point said. From there, the company said attackers can gain access to data from Gmail, Google Photos, Google Docs, Google Play, Google Drive and G Suite.

Are Enterprises Affected?

Check Point said that enterprise Google accounts were also affected by this breach. It said it identified "hundreds" of email addresses affected associated with enterprise accounts.

How Do You Protect Against It?

Check Point said it has alerted Google to the Gooligan malware and that Google is "taking numerous steps including proactively notifying affected accounts, revoking affected tokens and deploying SafetyNet improvements to protect users from these apps in the future." Check Point has also released a free tool at gooligan.checkpoint.com that lets users determine if they've suffered a breach. If breached, Check Point said a clean installation of the operating system is required and recommended changing all Google account passwords after the clean installation. Check Point also recommended powering off the device until a clean installation can be performed by a certified technician.