Security Experts:

"Gooligan" Android Malware Steals Authentication Tokens to Hack User Accounts

Android Malware Steals Authentication Tokens to Compromise More Than 1 Million Google User Accounts

Researchers from Check Point Software Technologies shared details on Wednesday of new Android malware that has compromised more than a million Google Accounts.

Dubbed Gooligan by the security firm, the malware targets devices running Android 4 and 5, which represent nearly 74 percent of Android devices currently in use.

According to Check Point, the mobile malware can steal authentication tokens stored on devices which can be used to access sensitive data from Gmail, Google Photos, Google Docs and other services, including G Suite.

Check Point’s research team originally discovered Gooligan's code in a malicious app called SnapPea last year. They discovered a new variant in August 2016 which they say is infecting 13,000 Android devices per day, with approximately 57 percent of infected devices located in Asia and about nine percent in Europe.

"The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device, or by clicking on malicious links in phishing attack messages," Check Point explained in a blog post.

After gaining control over the Android device, the cybercriminals behind Gooligan make money by fraudulently installing apps from Google Play and rating them on behalf of the victim, Check Point said. Gooligan installs at least 30,000 apps daily on compromised devices, totaling more than 2 million apps since the campaign first kicked off.

“If your account has been breached, a clean installation of an operating system on your mobile device is required. This complex process is called flashing, and we recommend powering off your device, and approaching a certified technician or your mobile service provider, to re-flash your device,” said Michael Shaulov, Check Point's head of mobile products.

Check Point has made available a free online tool that allows users to check if their account has been breached by Gooligan. 

In related Android security news, Palo Alto Networks shared details on a recently discovered Android Trojan dubbed “PluginPhantom” that abuses a legitimate plugin framework to update itself and evade static detection. According to to the network security firm, PluginPhantom focuses on data theft and is capable of stealing files, contacts, location data and Wi-Fi information, while also being able to take photos, capture screenshots, intercept and send SMS messages, record audio and log keystrokes.

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.