Hackers compromise over 1 million Google accounts

The malware can gain root access on Android phones, exposing the entire device to the hackers. (Source: Android Recovery Mode Screen)

Malicious software disguised as legitimate Android apps have breached over 1 million Google accounts. The software can then install additional apps or even post content online.

Sam Medley, Published 11/30/2016

An intricate new hacking campaign has led to the breach of over one million Google accounts, according to Israeli security firm Check Point Software Technologies. The hacking method uses malware dubbed “Gooligan” that is installed through unauthorized apps available outside of the Google Play Store.

Once downloaded, the malicious apps (which are disguised as innocuous apps like flashlights and WiFi analysis tools) take control of the infected device by gaining root access. Root access allows a program to utilize any part of a computer or phone, including the file system, hardware access, and user information. This allows the malware to download additional apps, access private and personal info, and even send information, all without alerting the user.

Hackers were able to use the malware to gain user tokens to user accounts with Google Docs, Google Photos, and Gmail. “Tokens” are used by services and software to authenticate users. If a hacker is able to obtain a token used to log in to a service, the hacker can then pose as the affected user without easy detection.

So far, it seems that the hackers have used the malware to access information, download additional apps and adware, and post reviews and other content while posing as unaware users. According to Fortune, the adware and fake reviews have been used to “generate hundreds of thousands of dollars in bogus ad revenue per month.”

The phony apps have been infecting devices since August. Check Point believes that the malware is infecting up to 13,000 Android devices and installing about 30,000 apps every day. The hackers seem to be targeting devices running Android 4 or Android 5 (Jelly Bean through Lollipop), which account for almost 75% of all Android devices globally.

Check Point has notified Google of the breach, and both companies are working to track down the hackers and mitigate the damage caused. Per Fortune, “Check Point further [recommends] that victims reinstall the operating system on their phones, hiring a technician to “flash” the device’s memory, since a standard factory reboot is not enough to remediate the issue. Immediately following that, customers should change their Google passwords.”

Check Point has released a free tool to check if an account was breached. It can be found here.

Source(s)

Check Point Software Technologies

Fortune

+ Show Press Release

Press Release

More Than 1 Million Google Accounts Breached by Gooligan

by Check Point Research Team php to make author dynamic date posted 2016/11/30

As a result of a lot of hard work done by our security research teams, we revealed today a new and alarming malware campaign. The attack campaign, named Gooligan, breached the security of over one million Google accounts. The number continues to rise at an additional 13,000 breached devices each day.

Our research exposes how the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.

Gooligan is a new variant of the Android malware campaign found by our researchers in the SnapPea app last year.

Check Point reached out to the Google Security team immediately with information on this campaign. Our researchers are working closely with Google to investigate the source of the Gooligan campaign.

http://blog.checkpoint.com/wp-content/uploads/2016/11/info_3_REVISED_11.29-Copy-1.jpg

“We’re appreciative of both Check Point’s research and their partnership as we’ve worked together to understand these issues,” said Adrian Ludwig, Google’s director of Android security. “As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall.”

Click here to read Adrian Ludwig’s complete statement on Gooligan.

We are very encouraged by the statement Google shared with us addressing the issue. We have chosen to join forces to continue the investigation around Gooligan. Google also stated that they are taking numerous steps including proactively notifying affected accounts, revoking affected tokens and deploying SafetyNet improvements to protect users from these apps in the future.

In the following sections, we provide more answers regarding the campaign.

Who is affected?

Gooligan potentially affects devices on Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which is over 74% of in-market devices today. About 57% of these devices are located in Asia and about 9% are in Europe.

http://blog.checkpoint.com/wp-content/uploads/2016/11/info_4_REVISED_11.23.16.jpg

In our research we identified tens of fake applications that were infected with this malware. If you’ve downloaded one of the apps listed in Appendix A, below, you might be infected. You may review your application list in “Settings -> Apps”, if you find one of this applications, please consider downloading an antivirus product such as Check Point ZoneAlarm to check if you are indeed infected.

We have noticed that hundreds of the email addresses are associated with enterprise accounts worldwide.

How do you know if your Google account is breached?

You can check if your account is compromised by accessing the following web site that we created: https://gooligan.checkpoint.com/.

If your account has been breached, the following steps are required:

A clean installation of an operating system on your mobile device is required (a process called “flashing”). As this is a complex process, we recommend powering off your device and approaching a certified technician, or your mobile service provider, to request that your device be “re-flashed.”
Change your Google account passwords immediately after this process.

How do Android devices become infected?

We found traces of the Gooligan malware code in dozens of legitimate-looking apps on third-party Android app stores. These stores are an attractive alternative to Google Play because many of their apps are free, or offer free versions of paid apps. However, the security of these stores and the apps they sell aren’t always verified. Gooligan-infected apps can also be installed using phishing scams where attackers broadcast links to infected apps to unsuspecting users via SMS or other messaging services.

How did Gooligan emerge?

Our researchers first encountered Gooligan’s code in the malicious SnapPea app last year. At the time this malware was reported by several security vendors, and attributed to different malware families like Ghostpush, MonkeyTest, and Xinyinhe. By late 2015, the malware’s creators had gone mostly silent until the summer of 2016 when the malware reappeared with a more complex architecture that injects malicious code into Android system processes.

http://blog.checkpoint.com/wp-content/uploads/2016/11/info_2_REVISED-11.23.16-Copy.jpg

The change in the way the malware works today may be to help finance the campaign through fraudulent ad activity. The malware simulates clicks on app advertisements provided by legitimate ad networks and forces the app to install on a device. An attacker is paid by the network when one of these apps is installed successfully.

Logs collected by Check Point researchers show that every day Gooligan installs at least 30,000 apps fraudulently on breached devices or over 2 million apps since the campaign began.

How does Gooligan work?

The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device. Our research team has found infected apps on third-party app stores, but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages. After an infected app is installed, it sends data about the device to the campaign’s Command and Control (C&C) server.

Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153). These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.

After achieving root access, Gooligan downloads a new, malicious module from the C&C server and installs it on the infected device. This module injects code into running Google Play or GMS (Google Mobile Services) to mimic user behavior so Gooligan can avoid detection, a technique first seen with the mobile malware HummingBad. The module allows Gooligan to:

Steal a user’s Google email account and authentication token information
Install apps from Google Play and rate them to raise their reputation
Install adware to generate revenue

Ad servers, which don’t know whether an app using its service is malicious or not, send Gooligan the names of the apps to download from Google Play. After an app is installed, the ad service pays the attacker. Then the malware leaves a positive review and a high rating on Google Play using content it receives from the C&C server.

Our research team was able to identify several instances of this activity by cross-referencing data from breached devices with Google Play app reviews. This is another reminder of why users shouldn’t rely on ratings alone to decide whether to trust an app.

http://blog.checkpoint.com/wp-content/uploads/2016/11/gooligan1.png

Two examples of reviews left by users who were also found on the attacker’s records as victims.

http://blog.checkpoint.com/wp-content/uploads/2016/11/gooligan2.png

An example of fake reviews and comments to one of the fraudulent applications.

http://blog.checkpoint.com/wp-content/uploads/2016/11/gooligan3.png

The same user discovered two different fraudulent apps were installed on his device, without his knowledge.

Similar to HummingBad, the malware also fakes device identification information, such as IMEI and IMSI, to download an app twice while seeming like the installation is happening on a different device, thereby doubling the potential revenue.

http://blog.checkpoint.com/wp-content/uploads/2016/11/google4.png

One of the apps downloaded from Google Play by Gooligan.

What are Google authorization tokens?

A Google authorization token is a way to access the Google account and the related services of a user. It is issued by Google once a user successfully logged into this account.

When an authorization token is stolen by a hacker, they can use this token to access all the Google services related to the user, including Google Play, Gmail, Google Docs, Google Drive, and Google Photos.

While Google implemented multiple mechanisms, like two-factor-authentication, to prevent hackers from compromising Google accounts, a stolen authorization token bypasses this mechanism and allows hackers the desired access as the user is perceived as already logged in.

Conclusion

Gooligan has breached over a million Google accounts. We believe that it is the largest Google account breach to date, and we are working with Google to continue the investigation. We encourage Android users to validate whether their accounts have been breached.

Appendix A: List of fake apps infected by Gooligan

Perfect Cleaner
Demo
WiFi Enhancer
Snake
gla.pev.zvh
Html5 Games
Demm
memory booster
แข่งรถสุดโหด
StopWatch
Clear
ballSmove_004
Flashlight Free
memory booste
Touch Beauty
Demoad
Small Blue Point
Battery Monitor
清理大师
UC Mini
Shadow Crush
Sex Photo
小白点
tub.ajy.ics
Hip Good
Memory Booster
phone booster
SettingService
Wifi Master
Fruit Slots
System Booster
Dircet Browser
FUNNY DROPS
Puzzle Bubble-Pet Paradise
GPS
Light Browser
Clean Master
YouTube Downloader
KXService
Best Wallpapers
Smart Touch
Light Advanced
SmartFolder
youtubeplayer
Beautiful Alarm
PronClub
Detecting instrument
Calculator
GPS Speed
Fast Cleaner
Blue Point
CakeSweety
Pedometer
Compass Lite
Fingerprint unlock
PornClub
com.browser.provider
Assistive Touch
Sex Cademy
OneKeyLock
Wifi Speed Pro
Minibooster
com.so.itouch
com.fabullacop.loudcallernameringtone
Kiss Browser
Weather
Chrono Marker
Slots Mania
Multifunction Flashlight
So Hot
Google
HotH5Games
Swamm Browser
Billiards
TcashDemo
Sexy hot wallpaper
Wifi Accelerate
Simple Calculator
Daily Racing
Talking Tom 3
com.example.ddeo
Test
Hot Photo
QPlay
Virtual
Music Cloud

"123456" and "password" are officially 2018's worst passwords News @ 12/16/2018
Chinese hackers believed to be behind massive Marriott data breach News @ 12/12/2018
150 million MyFitnessPal users affected by hack News @ 03/30/2018
"Self-destructing" PC will keep hackers at bay News @ 07/07/2017
UK parliament suffering from sustained cyber-attacks News @ 06/24/2017
Hackers compromise U.S. taxpayer data through university financial aid system News @ 04/07/2017
Google says it has patched exploits used by the CIA News @ 03/09/2017
Internet of Things will need extensive support lifecycles News @ 01/16/2017
Android backups are now manageable in Google Drive, sort of News @ 12/10/2016
Nearly 1 million Germans offline last weekend due to hack attempt News @ 11/30/2016
Five second video can crash iPhones News @ 11/23/2016
Some lower-end Android phones are sending user data to China News @ 11/16/2016
Yahoo: Personal info of 500 million accounts stolen News @ 09/23/2016
Over 850 million Android devices still vulnerable to Stagefright News @ 03/25/2016
Google and Samsung promise monthly OTA Android security updates News @ 08/06/2015

Loading Comments

Comment on this article

Meizu M3X now up for pre-order

Nvidia: GeForce GTX 1050 for Laptop...

Sam Medley - Senior Tech Writer - 1345 articles published on Notebookcheck since 2016

I've been a computer geek my entire life. After graduating college with a degree in Mathematics, I worked in finance and banking a few years before taking a job as a database administrator. I started working with Notebookcheck in October of 2016 and have enjoyed writing news and reviews. I've also written for other outlets including UltrabookReview and GeeksWorldWide, focusing on consumer guidance and video gaming. My areas of interest include the business side of technology, retro gaming, Linux, and innovative gadgets. When I'm not writing on electronics or tinkering with a device, I'm either outside with my family, enjoying a decade-old video game, or playing drums or piano.

Please share our article, every link counts!

> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2016 11 > Hackers compromise over 1 million Google accounts

Sam Medley, 2016-11-30 (Update: 2016-11-30)

Hackers compromise over 1 million Google accounts

Source(s)

Press Release

Related Articles