This article is more than 3 years old

Attackers are using an Android malware campaign known as Gooligan to target Android users and breach the security of their Google accounts.

So far, the malicious hackers have compromised one million Google accounts, but each day, they hack an additional 13,000 devices.

A Gooligan infection begins one of two ways. Android users might tap on a malicious link sent to them in a phishing email, or they could download a fake app from a third-party store.

Let’s face it: there’s no good that can come from apps with names like “Sex Photo,” “com.example.ddeo,” and “Test.”

Upon successful infection, Gooligan sends data about the infected device to its command and control server. It’s then that the malware gets down and dirty.

As the Check Point research team explains in a blog post:

“Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153). These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.”

But the attackers don’t stop there. They download a module onto the device that injects code into Google Mobile Services so as to mimic user behavior and thereby avoid detection, something researchers observed first with Hummingbad.

The module grants attackers the ability to load up adware, download apps and positively rate them in an attempt to generate revenue, and steal a user’s Google authorization token.

Wait… a Google authorization token? What’s that?

It’s essentially something that grants an actor access to a Google account and the related services of a user. An authorization token allows someone to bypass two-step verification (2SV) and other measures that might be protecting a user’s account to access their Google Drive, Gmail, and other parts of their Google identity.

In other words, if you steal someone’s Google authorization token, you gain complete control over their account.

Check Point doesn’t mince its words when evaluating the seriousness of this campaign:

“Gooligan has breached over a million Google accounts. We believe that it is the largest Google account breach to date, and we are working with Google to continue the investigation. We encourage Android users to validate whether their accounts have been breached.”

Users can check to see if Gooligan compromised their Google accounts by visiting https://gooligan.checkpoint.com/. If your account is affected, you should install a clean version of the Android operating system onto your phone, and then change your Google password.

Gooligan likes to hang around third-party app marketplaces, so in general, Android users might be safer downloading their apps only from the Google Play Store and should never click on suspicious links.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.