More than one million Google accounts had their security compromised by the Gooligan malware. Google updated Verify...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Apps in the Google Play Store to prevent users from installing apps infected with Gooligan. How did Gooligan breach these accounts, and what can be done to prevent tokens from being stolen?
Part of the standard security advice for mobile device users is to only install apps from approved app stores, like the Google Play Store for Android devices. Many pieces of mobile malware rely on people installing potentially malicious apps from outside of legitimate app stores. People might install mobile apps using third-party sites or directly from a developer for many different reasons, and this puts them at additional risk, as many mobile malware authors target these apps.
Check Point researchers blogged about the Gooligan malware attack, which starts when someone installs an infected app from outside the Google Play Store. Once the Gooligan malware is installed, it connects to a command-and-control server and downloads a rootkit to take complete control of the vulnerable Android device. Once it has control, it steals the user's Google email account and authentication token, which enables it to access the user's other Google accounts, such as Google Photos, Google Docs and Google Drive.
However, instead of stealing user account data, the malware downloads additional apps from the Google Play Store and leaves positive reviews for them in order to generate ad revenue for the attacker.
To protect your Android device from the Gooligan malware, only install apps from the Google Play Store, and do not approve app installations unless they are from the Google Play Store or an enterprise-approved third-party store. Users may want to periodically check to see if new apps were installed on their devices to make sure they didn't accidently install something malicious, and should use Check Point's Gooligan Checker to see if their account has been compromised.
Users affected by Gooligan malware should follow Check Point's recommended recovery steps -- flashing the device's OS and changing their Google account password. This is in addition to installing updates on Android devices and for apps installed via the Google Play Store. Users whose Google accounts may have been compromised by any new apps can refer to Google's instructions for help with account recovery.
Learn how mobile app developers can work to reduce security risks
Find out how the Mazar Android malware can gain control over devices
Discover how a malicious app bypassed the Google Play Store's security
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
The OurMine hacking group recently used DNS poisoning to attack WikiLeaks and take over its web address. Learn how this attack was performed from ...continue reading
Typosquatting was used by threat actors to spread malware in the NPM registry. Learn from expert Nick Lewis how this method was used and what it ...continue reading
Threat actors are using phishing email campaigns to fool users with tech support scams and fake Blue Screens of Death. Learn how these campaigns work...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.