A new malware variant called Gooligan was found this week by Check Point Software Technologies. First detected back in August, and an evolution of code first detected last year in a malicious app called SnapPea, the Gooligan has hoovered up around 1.3 million Google account credentials and gained root-level access to the devices associated with those accounts.

The malware gets onto those devices through infected apps hosted by third-party app stores, places notorious for hosting pirated versions of paid-for apps, apps that are pornographic in nature or are related to gambling – things Google does not allow on its official Google Play store.

The problem is, without any official body to vet those apps they can quite easily host malware, and that’s how Gooligan managed to spread itself.

Once it’s been downloaded as part of a dodgy app, Gooligan steals the email addresses and authorisation tokens on those devices and uses them to download and install apps without the device’s owner knowing. It then uses the compromised device to rate those apps on behalf of the victim – who to those apps appears 100% legitimate – in order to generate fraudulent advertising revenue that nets its masters around $320 000 per day.

Beyond that, this root-level access and control of the devices’ authorisation tokens means Gooligan also has access to all of the users’ Google-hosted data.

“This theft of over a million Google account details is very alarming and represents the next stage of cyber- attacks,” said Michael Shaulov, Check Point’s head of mobile products. “We are seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them.”

According to Check Point’s report on the malware, Gooligan infects 13 000 new devices every day and targets devices running Android 4 (Jelly Bean) and 5 (Lollipop), versions of Google’s OS that run on “…nearly 74% of Android devices in use today”. Since the campaign began, over 2 million apps have been fraudulently installed on compromised devices.

Check Point has passed a lot of the information it has gathered on Gooligan over to Google’s security team. Action taken so far by Google includes contacting affected users and revoking their compromised authorisation tokens, removing apps associated with the attack, and adding new protections to its Verify Apps technology.

When asked about the origins of the malware in an interview, Shaulov told me that Check Point  believes it originated from China, but that the company is doing further work to make absolutely certain of the culprits’ identity and location before handing all the information it has gathered over to the relevant authorities.

Check Point has also released the malware’s signature to other security software providers, so if your phone is already running an up-to-date version of whichever Norton/BitDefender/McAfee security app you have loaded, you should be immune to further attacks.

If you’d like to make sure that your device and Google credentials have not been compromised, Check Point has released a free online tool for exactly that purpose. You can find it at https://gooligan.checkpoint.com/.

[Header Image – Check Point, via htxt.co.za]