Gooligan malware campaign steals more than 1 Million Google Accounts using Android phones – Checkpoint

Researchers from Checkpoint have identified that a dubbed malware Gooligan has infected more than 1.3 million Android users globally.

Android targeted malware campaign infects devices and steals authentication tokens which is then used to access data from Google apps such as Google play, Gmail, google photos google docs, google drive and many others. The malware is a new variant of Gooligan, which was discovered by Checkpoint last year with a primary intension to boost advertising revenue from infected apps.

Affected versions: Android 4 Jelly Bean, Android 4 KitKat and Android 5 Lollipop. These versions covers  approx. 74% of all the Android users around the world. The percentage distribution of users infected by this malware as follows.

  • 57% of users are from Asia
  • 19% of users are from Americas
  • 15% of users are from Africa
  • 9% of the users are from Europe

Checking your google account for breach:
Checkpoint has provided a website where you can provide your user email and validate if it was breached. https://gooligan.checkpoint.com

If your account is compromised please follow the following steps:

  1. Change the password of your google accounts immediately and refrain from using your device till next step if completed.
  2. Rebuild or perform clean installation of Android operations system which is also called as flashing. It can be advanced hence please contact your local technician whichever is easier.

How does this malware Gooligan works?

When a user downloads gooligan malware infected apps from the app store, either by a phishing text, scam, fb post or any other means and installs, the android device gets infected.  Once the infected app is installed, the app sends out the details of the device to the Command & Control (C&C) server. Upon contacting C&C, the app downloads a rootkit from the server and injects exploits to the vulnerable device. [(VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153)]. If the exploitation if possible then the attacker will have full control of the device and can execute any commands remotely.

Once the Android device is infected, the malware tries to contact C&C and then tries to install new malicious module on the device. The Gooligan malware later injects code into google play / other services to replicate the user behavior similar to malware Hummingbad to boost the advertising revenue.

Ref : Checkpoint Blog

Pic Ref : Checkpoint Blog

The malware app earn money in two ways. Every app installed results in a payment to the attacker, while apps also earn revenue from ad services that pay to distribute ads through installed apps. The malware also forces infected devices to leave positive review and a higher rating on Google Play.

Google Authentication Tokens:

In simple words, this is a way to access google accounts and services which is issued by Google upon login.

When a Google authorization token is stolen by a hacker, they can use this token to access all the Google services related to the user (includes Google Play, Gmail, Google Docs, Google Drive, Google Photos and may other google services) .While Google implemented multiple mechanisms, like two-factor-authentication, to prevent hackers from compromising Google accounts, a stolen authorization token bypasses this mechanism and allows hackers the desired access as the user is perceived as already logged in. ( Reference : Checkpoint )

Google is still in denial that there is no evidence that the access might have taken place where a Checkpoint has shown to the world about its latest research with valid data.

Ref : Checkpoint

Share Button

Approx. 68 million Dropbox accounts available to download by anyone wordwide

medical devices hacked fox During the month of August, motherboard one of prominent online magazine released a report that more than 60 million account details were stolen from the cloud storage provider Dropbox. However now approx. 68 million Dropbox accounts are available to download by anyone.( Exact number as publish on ibtimes :68,680,741 accounts) During the month of September, […]
Share Button
Continue reading →

Akamai’s incapability to protect, dups its customer after massive DDOS attack, Google anti-DDOS protection to the rescue of krebsonsecurity

(Image: starwars.wikia.com) Last week KrebsOnSecurity.com was targeted by massive 620Gbps DDoS (Distributed Denial of Service Attack) and Kerbs had to take his site down for days. The decision of taking the site down was made after Akamai (aka Prolexic) decides that the pro bono service they were offering was costing them and their customers in millions and […]
Share Button
Continue reading →

Todesco, a security researcher breaks Apple iphone 7 in less than 24 hours

iphone-7-jailbreak Its hardly been two weeks since release of iphone 7 and a security researcher claims that he has already jailbroken in less than 24 hours. Motherboard,a online news portal mentioned that “one teenage hacker has already had success in jailbreaking the iPhone 7 running iOS 10. In fact, the 19-year-old developer, Luca Todesco, claims to […]
Share Button
Continue reading →

WhatsApp, aka Facebook was sued in India by two college students due to concerns over Privacy

whatsapp-facebook-sued After the recent changes to privacy policy on WhatsApp , people around the world feels to have betrayed by Facebook’s decision. To challenge this, two students from India have filed a legal challenge against Facebook to roll back changes to Whats App policy, which is threatening the rights of millions of users in India. The […]
Share Button
Continue reading →

Steps to Change your Whatsapp Settings before Facebook Begins Sharing data  – Android & Iphone

5 From the first time you see the privacy policy update screen on WhatsApp ( both iPhone & Android phones) , you have 30 days to click through and agree or not agree to Facebook, using your Whatsapp data to suggest friends and serve ads hampering your experience. We highly recommended to follow the below steps to help privacy invasion by […]
Share Button
Continue reading →

Whatsup which is now Facebook, backstabs its users by sharing users data

img_7010 It was long due before Facebook made its move to share data between Whatsup app and Facebook after the acquisition. Facebook is known to invade its users privacy with a claim of openness by its CEO Mark Zuckerburg and it did it again last week to monetize as much as possible with a decision to […]
Share Button
Continue reading →

Blackhat Vs Defcon in a Nutshell – 2016

IMG_6688 The two names “Blackhat” & “Defcon” rings the bell as the scariest hacker conference for people around the world. People from various disciplines in security with their best researches are invited to speak at the event with room full of security savy folks.  Its often said that these two conferences receive 1000’s of applicants and […]
Share Button
Continue reading →

Windows 10 – Evil to the Core for Privacy and pain for the users

Blue screen Windows 10 Last evening I left my desktop running the whole night on a photoshop job. Today morning my desktop was showing “blue screen of death ” with a message and a hung desktop. “Your PC ran into a problem and needs to restart, we’re just collecting some error info, and then we’ll restart for you” Microsoft […]
Share Button
Continue reading →

The Eleventh HOPE conference attracts audience from a broad areas of interest at New York City

HOPE SECURITY CONFERENCE NEW YORK MST The most admired and well known hacker convention “HOPE” which takes place every two years in the heart of New York City attracted some of the greatest security experts from various disciplines. Hope – 2016  (The Eleventh HOPE) had some of the great speakers from various areas of security and tons of hacker talks about how […]
Share Button
Continue reading →