Over 1 Million Google Accounts Breached via Malicious Android Apps
The attack campaign, dubbed Gooligan, has breached the security of over one million Google accounts and is still growing at a rate of 13,000 new infections each day. Gooligan is a variant of the Ghost Push malware family of hostile downloaders which download apps onto infected devices without the user’s permission. Google announced on their blog that they they’ve been working the past few weeks to investigate and help protect users against this threat. As a result, Google has already removed the offending apps from the Google Play Store. In addition to removing the malicious apps, Google is also notifying affected accounts, and revoking affected authorization tokens.
How is the Malware Transmitted?
The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device. This can happen in various ways- downloading an infected app from a third party app store, tapping malicious links in phishing attack messages either through SMS text messages or other online messaging services, and via phishing emails.
Once the malware has successfully been installed on the victim’s device, Gooligan can install apps from Google Play and rate them to raise their reputation and install adware to generate revenue. Gooligan can also steal a user’s Google email account and authentication token information, which can allow the attacker to bypass the login process and access the account as the victim is perceived as already logged in. These tokens can then be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.
The devices affected are phones that are running Android 4 (Jelly Bean, KitKat) and 5 (Lollipop).
This malware is unique in nature, as the only way to completely remove it from your phone is to do a clean installation of the operating system. This means that you may have to go to your mobile carrier and have them perform the installation.
Protecting Against Ghost Push Malware
This just pushes the point further that mobile devices need security software more than ever. This malware is easily spread to unprotected phones – all the user needs to do is tap on one bad link and they are exposed. This is also where software updates play a key role in security, as these attacks are using unpatched vulnerabilities on users phones.
Norton Mobile Security detects these types of Ghostpush variants by identifying the rootkits used to activate the malware.
In addition to checking the website, you should also use a mobile security solution like Norton Mobile Security to scan your phone for malware.
If your account has been breached, here are some tips to help clear up the infection:
- The only way to completely remove this malware from an infected device is to do a clean installation of the operating system. This is a complicated process, and you may want to go to your mobile carrier and have them perform the installation.
- Change your Google account passwords immediately after you have the OS reinstalled.