'Gooligan' Android malware breaches million-plus Google accounts

A new variant of the Ghost Push malware, nicknamed Gooligan, is believed to have rooted a vast number of Android devices, leading to over a million Google accounts being compromised.

Security vendor Check Point said Gooligan had evolved from malware families such as Ghost Push, MonkeyTest and Xinyinhe, which were discovered in 2014/15, and is found in at least 86 Android apps.

The infected apps are located in third-party app stores that offer free versions of paid software. Gooligan also spreads via phishing campaigns using messaging services such as SMS.

Once a user installs a Gooligan-infected app, the malware sends device data to a control and command server, and then downloads a rootkit that utilises multiple exploits such as vROOT and Towelroot.

After elevating its privileges to those of the Android root superuser, Gooligan copies users' Google email account and authentication token information and begins to download apps from Google Play, rating them automatically to boost their reputation, Check Point said.

Gooligan also installs adware on infected devices.

According to Check Point, Gooligan infects devices running Android version 4.x Jelly Bean and KitKat, as well as version 5.x of Lollipop. This accounts for three quarters of all Android devices in use today.

Getting rid of Gooligan isn't easy: Check Point said a device reflash for a clean installation of Android is required, something that in many cases may need the assistance of approved technicians. Affected users should also change their Google passwords immediately.

The security vendor's logs show that Gooligan installs at least 30,000 apps every day, for a total of two million since the campaign began.

Android security engineer Adrian Ludwig said his team had been tracking Ghost Push and related malware families since 2014.

In 2015, the Android security team found Ghost Push in more than 40,000 apps. Google's security systems now detect and prevent installation of over 150,000 variants of the malware, Ludwig said.

Even though Gooligan captures Google authentication tokens, Ludwig said there is no evidence of user data being accessed.

"... we used automated tools to look for signs of other fraudulent activity within the affected Google accounts. None were found. The motivation behind Ghost Push is to promote apps, not steal information, and that held true for this variant," he said.

Although Check Point discovered hundreds of email addresses associated with enterprise accounts on infected devices, there's no evidence of Gooligan targeting specific groups of users, Ludwig added.

He acknowledged that Ghost Push malware had been found in Google's Play app store, but said his team had removed the malware. To further reduce the incentive for abuse, Ludwig said Google had also removed apps that benefit from the Ghost Push malware family.

The updated Verify Apps protection system detects Gooligan and Ghost Push-infected apps and stops installation even if users obtain the software from outside Google Play, he said.

Google has also revoked affected users' account tokens and provided them with simple instructions on how to sign in again securely, and teamed up with internet providers to take down the infrastructure behind the malware to slow down future infection campaigns, Ludwig said.