The folks over at CheckPoint have found yet another piece of malware that is apparently affecting a million or so Android devices. The malware campaign is known as Gooligan, and it’s a variant of older malware called Ghost Push that has been found in many malicious apps. Here’s what it does:
The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device. Our research team has found infected apps on third-party app stores, but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages. After an infected app is installed, it sends data about the device to the campaign’s Command and Control (C&C) server.
Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153). These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.
After achieving root access, Gooligan downloads a new, malicious module from the C&C server and installs it on the infected device. This module injects code into running Google Play or GMS (Google Mobile Services) to mimic user behavior so Gooligan can avoid detection, a technique first seen with the mobile malware HummingBad. The module allows Gooligan to:
- Steal a user’s Google email account and authentication token information
- Install apps from Google Play and rate them to raise their reputation
- Install adware to generate revenue
Ad servers, which don’t know whether an app using its service is malicious or not, send Gooligan the names of the apps to download from Google Play. After an app is installed, the ad service pays the attacker. Then the malware leaves a positive review and a high rating on Google Play using content it receives from the C&C server.
Our research team was able to identify several instances of this activity by cross-referencing data from breached devices with Google Play app reviews. This is another reminder of why users shouldn’t rely on ratings alone to decide whether to trust an app.
Lovely. CheckPoint can help you to see if you’ve been affected:
You can check if your account is compromised by accessing the following web site that we created: https://gooligan.checkpoint.com/.
If your account has been breached, the following steps are required:
- A clean installation of an operating system on your mobile device is required (a process called “flashing”). As this is a complex process, we recommend powering off your device and approaching a certified technician, or your mobile service provider, to request that your device be “re-flashed.”
- Change your Google account passwords immediately after this process.
CheckPoint has joined forces with Google to fight this, and you can read about that tie up here. My advice is to check to see if you’re affected and take action immediately.
Like this:
Like Loading...
Related
This entry was posted on November 30, 2016 at 1:11 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
A Million Android Devices Pwned By Malware
The folks over at CheckPoint have found yet another piece of malware that is apparently affecting a million or so Android devices. The malware campaign is known as Gooligan, and it’s a variant of older malware called Ghost Push that has been found in many malicious apps. Here’s what it does:
The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device. Our research team has found infected apps on third-party app stores, but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages. After an infected app is installed, it sends data about the device to the campaign’s Command and Control (C&C) server.
Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153). These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.
After achieving root access, Gooligan downloads a new, malicious module from the C&C server and installs it on the infected device. This module injects code into running Google Play or GMS (Google Mobile Services) to mimic user behavior so Gooligan can avoid detection, a technique first seen with the mobile malware HummingBad. The module allows Gooligan to:
Ad servers, which don’t know whether an app using its service is malicious or not, send Gooligan the names of the apps to download from Google Play. After an app is installed, the ad service pays the attacker. Then the malware leaves a positive review and a high rating on Google Play using content it receives from the C&C server.
Our research team was able to identify several instances of this activity by cross-referencing data from breached devices with Google Play app reviews. This is another reminder of why users shouldn’t rely on ratings alone to decide whether to trust an app.
Lovely. CheckPoint can help you to see if you’ve been affected:
You can check if your account is compromised by accessing the following web site that we created: https://gooligan.checkpoint.com/.
If your account has been breached, the following steps are required:
CheckPoint has joined forces with Google to fight this, and you can read about that tie up here. My advice is to check to see if you’re affected and take action immediately.
Share this:
Like this:
Related
This entry was posted on November 30, 2016 at 1:11 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.