Million-strong Gooligan infection takes hold of Android handsets

December 1, 2016 // 10:35 a.m.

Tags: #adrian-ludwig #android #check-point #ghost-push #google #gooligan #insecurity #malware #security #trojan-horse

A particularly aggressive malware campaign has affected an estimated one million Google accounts using malware installed on older Android devices, giving ne'er-do-wells complete access to users' accounts.

Discovered by security firm Check Point, the Gooligan malware - a variant of a package dubbed Ghost Push and dating back to 2014 - has been found to have been installed on more than one million Android devices running versions of Google's operating system older than Android 6.0. The malware itself has two means of ingress: installing itself using a phishing campaign where the user receives an email telling them to install a security update, or being installed as a Trojan horse via a third-party application repository lacking the automatic security checking of Google's official Play Store. While this means that smartphones and tablets locked down to installing software exclusively from Google Play are not affected, the campaign appears to have been thoroughly successful nevertheless: Check Point estimates that infections are growing at a rate of around 13,000 a day.

While Gooligan is known to steal user credentials from infected devices, Google itself has stated that account hijacking is likely not its creator's intention. 'In addition to rolling back the application installs created by Ghost Push, we used automated tools to look for signs of other fraudulent activity within the affected Google accounts. None were found,' claimed Google's Adrian Ludwig in a comment on the matter. 'The motivation behind Ghost Push is to promote apps, not steal information, and that held true for this variant.'

Those affected by the breach should have already had their account authorisation tokens revoked, locking the malware out from their account. Check Point, meanwhile, has published a detailed analysis including a list of applications used as Trojan horses to infect handsets with Gooligan, and has launched a microsite for checking if your account was among the affected.
Discuss this in the forums

QUICK COMMENT

SUBSCRIBE TO OUR NEWSLETTER

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU