Some old malware that targets older versions of the Android operating system was implicated in the biggest theft of Google account data yet. The malware is called Ghost Push and has been in the wild for a few years now as Google and other security firms have battled to minimize its impact. However, a new variant called Gooligan was determined this past summer, in public statements made today by security firm Check Point and Google, to be implicated in the theft of around 1.3 million Google account credentials.
Although the hackers have a huge stash of user credentials at their fingertips, security experts familiar with the case say the information is not being used to actually access the accounts or try to steal information contained in emails or documents. Instead, the hackers are using the credentials to install apps on devices and enter fake reviews on the Google Play store. The end result of this activity is an attempt to bump up advertising impressions displayed in the apps, which generates revenue for the hackers.
Researchers say the illicit revenue totals about $320,000 per month as Gooligan grows by an average of 13,000 new installs each day. According to Check Point, the malware ends up getting installed via third-party apps. Users are convinced to install the app in order to access content, frequently pornographic in nature. Check Point says the malware, once installed, will determine the type of device it is loaded on and then root the device.
The good news, if there is any, is that Gooligan only works on older versions of Android including Jelly Bean, KitKat and Lollipop. Newer versions since Android 6.0 Marshmallow are not at risk.
Users being impacted by Gooligan are primarily located in Asia, accounting for 40 percent of the known infections. Users in the Americas, primarily North America, account for another 19 percent of infections and European users are the third largest block at 12 percent of infected devices.
If the use of malware to generate illicit advertising revenue sounds familiar, it may be because it was the same model used this past year by the hackers behind the HummingBad malware.
Researchers with Google and Check Point say they have been monitoring and battling Gooligan since June 2015. During that time the malware has morphed from delivery that required a physical connection to a Windows-based PC to newer methods that got around that limitation.
In statements released today, Check Point provided a tool for users to check for infection and compiled a list of apps known to include the Gooligan code. Michael Shaulov, head of mobile and cloud security with Check Point, hopes that by going public with regard to Gooligan and what the hackers are doing, the Android community will be able to more effectively combat the malware and stop it in its tracks compared to the closed, limited work being done thus far.
If you want to check to see if your Gmail account is amongst those breached, you can visit the Gooligan Checker site setup by Check Point at gooligan.checkpoint.com.