Gooligan, What?
Gooligan was first encountered by the Checkpoint researchers in the malicious SnapPea app last year. Since the creators of the Malware had been in a slumber mode till early 2016 the Malware was supposedly out of the radar. Well, the Malware made a re-entry in the Summer of 2016 along with an advanced and more complex architecture that injected malicious codes into the Android system processes. The word ‘Gooligan’ seems to be an amalgamation of Google + Holligan. The infection begins only once user downloads and installs a Gooligan-affected app on a vulnerable device. The malware can also be downloaded by clicking on the phishing link or malicious download links. After the app is installed it sends data regarding the device to the campaigns Command and Control server. This prompts Google to download a rootkit from the C&C server which takes advantage of the Android 4 and the 5 exploits including the VROOT (CVE-2013-6282) and also Towelroot (CVE-2014-3153), since the exploits are still not patched in some Android versions it becomes easy for the attacker to take full control of the device and also execute privileged commands remotely. Next, Gooligan downloads a new module from the C&C server and installs it on the infected device. The code is then cleverly injected into the GMS to avoid detection. Gooligan now uses the module to steal users Google email account, authentication token, can install apps from Google Play and also install adware to generate revenue.
The Statistics
Gooligan is perhaps the biggest threat lurking around when it comes to Android ecosystem with the campaign infecting 13,000 devices on a daily basis and also gaining access to the email and related services. The Gooligan mostly targets Android 4 and 5 and this in itself is a major threat since nearly 74 percent of Android devices are running on Android 4 and 5. It’s also estimated that Gooligan installs 30,000 apps on the breached devices every day while the total number of the app installed is pegged at 2-Million. Demographically speaking Asia seems to be the worst affected with 40 percent followed by Europe at 12 percent
The Recourse
The good folks at CheckPoint have already come up with a tool that helps in detecting a breach associated with a Google account. Just punch in your email address and check for the breach. this is what Shaulov, CheckPoints head of mobile products had to say, “If your account has been breached, a clean installation of an operating system on your mobile device is required. For further assistance, you should contact your phone manufacturer or mobile service provider. Additionally, I would suggest Android users refrain clicking on links from unknown sources and also ensure that you don’t install a third-party app that doesn’t seem trustworthy.