Archives for 

Security Breach

Gooligan malware campaign steals more than 1 Million Google Accounts using Android phones – Checkpoint


Warning: Illegal string offset 'filter' in /home/crypton1/public_html/mobilesecuritythreat.com/wp-includes/taxonomy.php on line 1409

Researchers from Checkpoint have identified that a dubbed malware Gooligan has infected more than 1.3 million Android users globally.

Android targeted malware campaign infects devices and steals authentication tokens which is then used to access data from Google apps such as Google play, Gmail, google photos google docs, google drive and many others. The malware is a new variant of Gooligan, which was discovered by Checkpoint last year with a primary intension to boost advertising revenue from infected apps.

Affected versions: Android 4 Jelly Bean, Android 4 KitKat and Android 5 Lollipop. These versions covers  approx. 74% of all the Android users around the world. The percentage distribution of users infected by this malware as follows.

  • 57% of users are from Asia
  • 19% of users are from Americas
  • 15% of users are from Africa
  • 9% of the users are from Europe

Checking your google account for breach:
Checkpoint has provided a website where you can provide your user email and validate if it was breached. https://gooligan.checkpoint.com

If your account is compromised please follow the following steps:

  1. Change the password of your google accounts immediately and refrain from using your device till next step if completed.
  2. Rebuild or perform clean installation of Android operations system which is also called as flashing. It can be advanced hence please contact your local technician whichever is easier.

How does this malware Gooligan works?

When a user downloads gooligan malware infected apps from the app store, either by a phishing text, scam, fb post or any other means and installs, the android device gets infected.  Once the infected app is installed, the app sends out the details of the device to the Command & Control (C&C) server. Upon contacting C&C, the app downloads a rootkit from the server and injects exploits to the vulnerable device. [(VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153)]. If the exploitation if possible then the attacker will have full control of the device and can execute any commands remotely.

Once the Android device is infected, the malware tries to contact C&C and then tries to install new malicious module on the device. The Gooligan malware later injects code into google play / other services to replicate the user behavior similar to malware Hummingbad to boost the advertising revenue.

Ref : Checkpoint Blog

Pic Ref : Checkpoint Blog

The malware app earn money in two ways. Every app installed results in a payment to the attacker, while apps also earn revenue from ad services that pay to distribute ads through installed apps. The malware also forces infected devices to leave positive review and a higher rating on Google Play.

Google Authentication Tokens:

In simple words, this is a way to access google accounts and services which is issued by Google upon login.

When a Google authorization token is stolen by a hacker, they can use this token to access all the Google services related to the user (includes Google Play, Gmail, Google Docs, Google Drive, Google Photos and may other google services) .While Google implemented multiple mechanisms, like two-factor-authentication, to prevent hackers from compromising Google accounts, a stolen authorization token bypasses this mechanism and allows hackers the desired access as the user is perceived as already logged in. ( Reference : Checkpoint )

Google is still in denial that there is no evidence that the access might have taken place where a Checkpoint has shown to the world about its latest research with valid data.

Ref : Checkpoint

Share Button

Approx. 68 million Dropbox accounts available to download by anyone wordwide


Warning: Illegal string offset 'filter' in /home/crypton1/public_html/mobilesecuritythreat.com/wp-includes/taxonomy.php on line 1409
During the month of August, motherboard one of prominent online magazine released a report that more than 60 million account details were stolen from the cloud storage provider Dropbox. However now approx. 68 million Dropbox accounts are available to download by anyone.( Exact number as publish on ibtimes :68,680,741 accounts) During the month of September, […]
Share Button
Continue reading →

Akamai’s incapability to protect, dups its customer after massive DDOS attack, Google anti-DDOS protection to the rescue of krebsonsecurity

(Image: starwars.wikia.com)
Warning: Illegal string offset 'filter' in /home/crypton1/public_html/mobilesecuritythreat.com/wp-includes/taxonomy.php on line 1409
Last week KrebsOnSecurity.com was targeted by massive 620Gbps DDoS (Distributed Denial of Service Attack) and Kerbs had to take his site down for days. The decision of taking the site down was made after Akamai (aka Prolexic) decides that the pro bono service they were offering was costing them and their customers in millions and […]
Share Button
Continue reading →

Todesco, a security researcher breaks Apple iphone 7 in less than 24 hours


Warning: Illegal string offset 'filter' in /home/crypton1/public_html/mobilesecuritythreat.com/wp-includes/taxonomy.php on line 1409
Its hardly been two weeks since release of iphone 7 and a security researcher claims that he has already jailbroken in less than 24 hours. Motherboard,a online news portal mentioned that “one teenage hacker has already had success in jailbreaking the iPhone 7 running iOS 10. In fact, the 19-year-old developer, Luca Todesco, claims to […]
Share Button
Continue reading →

The mobile game ‘Clash of Kings’ was hacked and 1.6 million user info exposed


Warning: Illegal string offset 'filter' in /home/crypton1/public_html/mobilesecuritythreat.com/wp-includes/taxonomy.php on line 1409
The Clash of the Kings is one of the most liked game on the mobile environment with more than 100 million downloads but recent hack exposes its 1.6 million gamer information exposed. The hacker exploited outdated vBulletin software(forum’s) and the vulnerability  dates back to late 2013 which includes easily exploited security flaws. The exposed data includes usernames, […]
Share Button
Continue reading →

Pokemon Go servers down by DDoS attack- OurMine claims credit


Warning: Illegal string offset 'filter' in /home/crypton1/public_html/mobilesecuritythreat.com/wp-includes/taxonomy.php on line 1409
PokemonGO was released two weeks back and its already making names all over the world. Last weekend Pokemon was targeted by a group of hackers named “OurMine” took the site down with massive DDoS. The users might have had difficulty logging to the Pokemon and the company displayed the messaged a below. In a post of Ourmine , the […]
Share Button
Continue reading →

T-mobile insider employee steals 1.5 million customer information and sells the dump to make quick money


Warning: Illegal string offset 'filter' in /home/crypton1/public_html/mobilesecuritythreat.com/wp-includes/taxonomy.php on line 1409
Its been Tmobile  been unlucky last year  by a massive breach and now by an internal employee who sold more than 1.5 millionCzech Republic customer data. As per the local media MF DNES, it is unknown how much of name, e-mail address, account number and various other information the marketing database contained. T-Mobile Czech Republic […]
Share Button
Continue reading →

Information of customers of 14 companies being sold on Dark Web


Warning: Illegal string offset 'filter' in /home/crypton1/public_html/mobilesecuritythreat.com/wp-includes/taxonomy.php on line 1409
After the TalkTalk incident when data of over 1.2 million customers was stolen and leaked online; The Mail has reported that 14 other companies are also victims of similar attack. The Mail has also reported in its news item that the stolen data is being sold on “Dark Web” that can be accessed from a […]
Share Button
Continue reading →

Credentials of 13 million users breached from 000Webhost, a free webhosting company


Warning: Illegal string offset 'filter' in /home/crypton1/public_html/mobilesecuritythreat.com/wp-includes/taxonomy.php on line 1409
The Lithuanian 000Webhost is one of the most popular free webhosting services and has over 13.5 million users. It ranks among the top search results in Google and is quite popular for its services. However, according to a report from Forbes, the login credentials of these users, that includes their usernames, passwords, email addresses, last […]
Share Button
Continue reading →

Trading firm Scottrade hacked, loses information of 4.6 million customers


Warning: Illegal string offset 'filter' in /home/crypton1/public_html/mobilesecuritythreat.com/wp-includes/taxonomy.php on line 1409
St. Louise-based Scottrade Inc. has sent out an email to its clients informing them of a recent cyber -attack that affected their systems. The company has revealed that they were alerted of the breach by FVI agents who have been investigating it since it occurred sometime between late 2013 and early 2014. It was further […]
Share Button
Continue reading →