A new version of an existing piece of malware has emerged in some third-party Android app stores and researchers say it has infected more than a million devices around the world, giving the attackers full access to victims’ Google accounts in the process.
The malware campaign is known as Gooligan, and it’s a variant of older malware called Ghost Push that has been found in many malicious apps. Researchers at Check Point recently discovered several dozen apps, mainly in third-party app stores, that contain the malware, which is designed to download and install other apps and generate income for the attackers through click fraud. The malware uses phantom clicks on ads to generate revenue for the attackers through pay-per-install schemes, but that’s not the main concern for victims.
The Gooligan malware also employs exploits that take advantage of several known vulnerabilities in older versions of Android, including Kit Kat and Lollipop to install a rootlet that is capable of stealing users’ Google credentials.Although the malware has full remote access to infected devices, it doesn’t appear to be stealing user data, but rather is content to go the click-fraud route. Most users are being infected through the installation of apps that appear to be legitimate but contain the Gooligan code, a familiar infection routine for mobile devices.
“If rooting is successful, the attacker has full control of the device.”
“The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device. Our research team has found infected apps on third-party app stores, but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages. After an infected app is installed, it sends data about the device to the campaign’s Command and Control (C&C) server,” Check Point’s research team said in an analysis of the campaign.
“Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153). These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.”
The Gooligan malware then downloads another module that allows it to steal the victim’s Google credentials and authentication token. It also has the ability to install other apps and adware, which is the revenue-generating mechanism. Google has taken a number of actions to protect users from this attack, including removing the malicious apps from Google Play and actively contacting users that are known to be infected by the malware.
“We’ve taken many actions to protect our users and improve the security of the Android ecosystem overall. These include: revoking affected users’ Google Account tokens, providing them with clear instructions to sign back in securely, removing apps related to this issue from affected devices, deploying enduring Verify Apps improvements to protect users from these apps in the future and collaborating with ISPs to eliminate this malware altogether,” Adrian Ludwig of Google’s Android security team said.
“We are working with the Shadowserver Foundation and multiple major ISPs that provided infrastructure used to host and control the malware. Taking down this infrastructure has disrupted the existing malware, and will slow the future efforts.”
The Gooligan campaign underscores two of the main security issues facing Android users specifically: the danger of installing apps from third-party sources and the lack of security updates for many users. Carriers and device manufacturers control when or if Android users receive patches, and while Google pushes fixes to Nexus and Pixel users as soon as they’re available, many carriers never release them at all.