Gooligan was exposed by a team of researchers at Check Point Software Technologies today. The malware family was activated in August and has since gained access to over one million accounts. Over 13,000 new devices are being hijacked every day by at least 86 compromised apps in third-party app stores.
Once installed, the malware “roots” affected Android phones to gain privileged system access. It then uses the newly granted privileges to download and install software capable of breaking into the user’s Google account. It does this by stealing authentication tokens used to login to Google services such as Gmail, Google Play, Google Drive and Google Photos.
Token-based authentication is a standard method used by apps that need to confirm their identity to a server. The first time you open the app and login to the service, the server sends a specially signed “token” to your device. On subsequent uses of the app, the token is sent back to the server every time a request is made. The server uses the token to verify your identity so you don’t need to login again.
By stealing the signed tokens, the malware can authenticate itself as the owner of the device to Google’s services. It can then achieve access to the account. Check Point found the software is being used to post fake reviews and ratings on apps in the Google Play Store. It’s part of a scam that exploits ad network monetisation schemes to make more revenue. The researchers also found the malicious apps spoof device identification numbers, such as the IMEI and IMSI, to pretend to download apps twice, doubling the ad income.
The technique being used is so serious because it can bypass advanced protection mechanisms around Google accounts. Security researchers generally advise the use of two-factor authentication to secure your online services. Two-factor authentication is of no use here though. Once the malware has stolen the token issued by Google’s servers, it is the real user as far as Google is concerned. Check Point advised Android users to check if their account has been compromised by using a specially built website it has set up.
“Gooligan has breached over a million Google accounts,” said Check Point. “We believe that it is the largest Google account breach to date, and we are working with Google to continue the investigation. We encourage Android users to validate whether their accounts have been breached.”
Check Point alerted Google immediately after the scale of Gooligan’s campaign became clear. It praised the company’s response to the issue, noting it was quick to acknowledge the problem. It is now proactively working with Check Point to continue the investigation.
Google is taking steps to mitigate the impact of Gooligan. Users known to have been affected will be contacted in due course with advice on what to do next. Google is also actively revoking authentication tokens that have been stolen. These tokens will no longer be accepted as valid by its servers so the malware will not be able to use them to access accounts.
Google said it is working to “eliminate” the Gooligan malware family altogether. In the meantime, it’s taking a series of steps to protect users while the campaign continues:
“We’ve taken many actions to protect our users and improve the security of the Android ecosystem overall. These include: revoking affected users’ Google Account tokens, providing them with clear instructions to sign back in securely, removing apps related to this issue from affected devices, deploying enduring Verify Apps improvements to protect users from these apps in the future and collaborating with ISPs to eliminate this malware altogether.”
Gooligan is targeting Android devices running versions four and five of the operating system. Newer phones are not affected. The easiest way to protect against the attack is to only install apps from within the confines of the Google Play Store. If a third-party app store is used, enabling Google’s Verify Apps feature will now issue a warning if Gooligan is detected.
