Malware News Android-rooting Gooligan malware infects 1 million devices

[Solarquest]

At an estimated rate of 13,000 smartphones a day

A new strain of Android malware is infecting an estimated 13,000 devices per day.

The Gooligan malware roots Android devices before stealing email addresses and authentication tokens stored on them. The tokens create a means for hackers to access users' sensitive data from Gmail accounts, security researchers at Check Point Software Technologies warn.
The malicious code creates a money-making sideline for crooks by fraudulently installing apps from Google Play and rating them on behalf of the victim.

Gooligan targets devices running Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), collectively around 74 per cent of Android devices currently in use. Gooligan is installing at least 30,000 apps on breached devices every day, or more than 2 million apps since the malicious campaign began, according to Check Point.

Security researchers at the Israeli firm first encountered Gooligan's code in the malicious SnapPea app last year. In August, the malware reappeared with a new variant and has since infected at least 13,000 devices per day. About 40 per cent of these devices are located in Asia and about 12 per cent are in Europe. Hundreds of the email addresses compromised by Gooligan are associated with enterprises around the world.

Check Point has passed on its findings on the campaign to Google’s security team. "This theft of over a million Google account details is very alarming and represents the next stage of cyber-attacks," said Michael Shaulov, Check Point's head of mobile products. "We are seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them."

Gooligan spreads when victims download and install an infected app. Crooks are slinging the malware by tricking victims into following malicious links in phishing messages.

"If your account has been breached, a clean installation of an operating system on your mobile device is required," Shaulov advised. ®

 

[L S]

You can check HERE : = " Check Point Software Technologies: Network Security, Firewalls, and Threat Prevention Solutions " = Just open = " Gooligan Checker " = and enter your Google email address to find out if you've been hacked.

I've already checked my, it's Ok.

 

[ForgottenSeer 55474]

mine is ok too, yes

 

[Dirk41]

You can check HERE : = " Check Point Software Technologies: Network Security, Firewalls, and Threat Prevention Solutions " = Just open = " Gooligan Checker " = and enter your Google email address to find out if you've been hacked.

I've already checked my, it's Ok.

wow thank you

I have not an android, but could someone explain me a little? : if you have 2FA, it's useless they steal tockens right? or not?

thank you

 

[L S]

wow thank you

I have not an android, but could someone explain me a little? : if you have 2FA, it's useless they steal tockens right? or not?

thank you

The malware affect Android devices, stealing email addresses and authentication tokens stored on them, soo yes.
You can read the Solarquest post from start and it will be more clear to you.

 

[Dirk41]

thank you , yes I read it, the problem was I did not get what tokens are.. evend if I read it on wiki XD

but no problem thank you anyway

 

[Solarlynx]

You can check HERE : = " Check Point Software Technologies: Network Security, Firewalls, and Threat Prevention Solutions " = Just open = " Gooligan Checker " = and enter your Google email address to find out if you've been hacked.

I've already checked my, it's Ok.

Thanks. Glad to be not hacked.

 

[_CyberGhosT_]

All Good,
Great share Solor

 

[Aleeyen]

So much have been said about safety of non-rooted phones, but now malwares themselves root the phones so as to play more havoc. They
are really clever.

 

[viktik]

that why keeping sensitive data in smartphone spooks me.

 

[L S]

thank you , yes I read it, the problem was I did not get what tokens are.. evend if I read it on wiki XD

but no problem thank you anyway

Security tokens (is) provide an extra level of assurance through a method known as (two-factor authentication / 2FA) - the user has a personal identification number (PIN), which authorizes them as the owner of that particular email or account or device, etc. then displays a number which uniquely identifies the user to the service, allowing them to log in.

 

[Dirk41]

Security tokens (is) provide an extra level of assurance through a method known as (two-factor authentication / 2FA) - the user has a personal identification number (PIN), which authorizes them as the owner of that particular email or account or device, etc. then displays a number which uniquely identifies the user to the service, allowing them to log in.

thank you I really appreciate..and last question: and the token always works ? doesn't it expire?

 

[Axelrod Sven]

There are so many exploits... I don't know...honestly every second day I see news about some exploit or the other. It looks as though hackers and criminals are taking this battle to Google's doorstep - and how!

 

[L S]

thank you I really appreciate..and last question: and the token always works ? doesn't it expire?

If you have your (two-factor authentication / 2FA) 'ON' then is always 'ON' , if it's 'OFF' then is always 'OFF'. - It's up to you.

 

[Dirk41]

If you have your (two-factor authentication / 2FA) 'ON' then is always 'ON' , if it's 'OFF' then is always 'OFF'. - It's up to you.

but for example ,every time i login in google account it sends me a different numer each time..so I meant : tokens are different every time o it is always the same?
thank you

 

[Dirk41]

but for example ,every time i login in google account it sends me a different numer each time..so I meant : tokens are different every time o it is always the same?
thank you

in fact here it says Security token - Wikipedia

Stolen tokens can be made useless by using two factor authentication. Commonly, in order to authenticate, a personal identification number (PIN) must be entered along with the information provided by the token the same time as the output of the token.

so then it expires, so it seems to me it's highly improbable this attack can be effective

 

[DardiM]

What are Google authorization tokens ?

"A Google authorization token is a way to access the Google account and the related services of a user. It is issued by Google once a user successfully logged into this account.
When an authorization token is stolen by a hacker, they can use this token to access all the Google services related to the user, including Google Play, Gmail, Google Docs, Google Drive, and Google Photos.
While Google implemented multiple mechanisms, like two-factor-authentication, to prevent hackers from compromising Google accounts, a stolen authorization token bypasses this mechanism and allows hackers the desired access as the user is perceived as already logged in".

If you phone has been infected, you are seen logged (because you were logged when it infected it) or as soon as you will login into your account.

"If your account has been breached, a clean installation of an operating system on your mobile device is required," Shaulov advised. ®

from: More Than 1 Million Google Accounts Breached by Gooligan | Check Point Blog

 

[L S]

in fact here it says Security token - Wikipedia



so then it expires, so it seems to me it's highly improbable this attack can be effective

You use it, then they give you new one, and so on.

 

[tim one]

That's Ok here and good to know:

"Check Point will not collect, store, or use your email address for any other purpose."

 

[jamescv7]

Gooligan spreads when victims download and install an infected app. Crooks are slinging the malware by tricking victims into following malicious links in phishing messages.

So clearly means, you will not be infected easily without falling in that trap.

Obvious if you are aware on the habits, then no untoward incident will occur.