More than a million Google accounts have been compromised by cybercriminals. There’s no need to panic about Google’s servers being breached, however. The culprit is actually a new strain of Android malware that’s been dubbed Gooligan.
Researchers at Checkpoint have been keeping close tabs on the malware, and they believe that it’s still very active. They estimate that somewhere around 13,000 new Google accounts are being compromised every day. Checkpoint has been working closely with Google to identify the source of the threat and to come up with a way to neutralize it.
Gooligan has been circulating since August of this year and has been infecting Android devices at a steady pace ever since. Not just any Android device, mind you. Like nearly all of the Android malware you may have read about, devices are only at risk if the owner has enabled app installations from unknown sources. If that switch has been flipped, the malware has the access it needs to a device. Even then, the owner has to visit a third-party app store and install an infected app (like the one below).
Once that happens, another malicious payload is retrieved that attempts to root the device. If it’s successful, the attackers can then force app installs from Google Play, post ratings for those apps to boost their standing, load adware onto the device, and steal Google authentication tokens. A token can allow criminals to access a user’s Google accounts — Gmail, Google Drive, YouTube, etc. — without the hassle of figuring out (or stealing) his or her password. It also allows that access even if a user has enabled two-factor authentication on their Google account, according to Checkpoint.
Fortunately, Gooligan is not the kind of threat that’s likely to impact users in North America. Other than Amazon’s Appstore, there aren’t any major third-party alternatives to Google Play. Checkpoint’s report also notes that Gooligan takes advantage of multiple vulnerabilities found in Android 4 and 5. If your device runs Android 6 Marshmallow or you just picked up a Pixel running Nougat, you shouldn’t be vulnerable even if you did allow unknown sources and download apps from a sketchy marketplace.
Just in case you do have any concerns, Checkpoint has created a free web-based tool that can check to see if your device has been infected.
Source: SANS ISC SecNewsFeed @ November 30, 2016 at 01:39PM