Beware! Android Smartphones hit by another Android Malware, Which has taken more than 1 Million Google accounts around 13,000 devices every day.
Named Gooligan, the malware attached defenseless Android gadgets to take email locations and confirmation tokens put away on them.
With this data in hands, the aggressors can seize your Google record and get to your touchy data from Google applications including Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite.
“Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153),” researchers said in a blog post.
This malware only affect rooted devices which download and install software that steals the authentication tokens that allow the phones to access the Owner’s Google accounts without even resetting the password. The malware which stole’s tokens can work on Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite.
The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device. Our research team has found infected apps on third-party app stores, but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages. After an infected app is installed, it sends data about the device to the campaign’s Command and Control (C&C) server.
Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153). These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.
After achieving root access, Gooligan downloads a new, malicious module from the C&C server and installs it on the infected device. This module injects code into running Google Play or GMS (Google Mobile Services) to mimic user behavior so Gooligan can avoid detection, a technique first seen with the mobile malware HummingBad. The module allows Gooligan to:
Steal a user’s Google email account and authentication token information
Install apps from Google Play and rate them to raise their reputation
Install adware to generate revenue
Ad servers, which don’t know whether an app using its service is malicious or not, send Gooligan the names of the apps to download from Google Play. After an app is installed, the ad service pays the attacker. Then the malware leaves a positive review and a high rating on Google Play using content it receives from the C&C server.
How to Protect Yourself & Confirm if your Google Account has been compromised?
According to; checkpoint.com
Gooligan potentially affects devices on Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which is over 74% of in-market devices today. About 57% of these devices are located in Asia and about 9% are in Europe.
Check Point has published an online tool to check if your Android device has been infected with the Gooligan malware. Just open ‘Gooligan Checker’ and enter your Google email address to find out if you’ve been hacked.
If you found yourself infected, Adrian Ludwig, Google’s director of Android security, has recommended you to run a clean installation of the operating system on your Android device.
This process is called ‘Flashing,’ which is quite a complicated process. So, the company recommends you to power off your device and approach a certified technician or your mobile service provider in order to re-flash your device.