More than one million Google accounts had their security compromised by the Gooligan malware. Google updated Verify...
Apps in the Google Play Store to prevent users from installing apps infected with Gooligan. How did Gooligan breach these accounts, and what can be done to prevent tokens from being stolen?
Part of the standard security advice for mobile device users is to only install apps from approved app stores, like the Google Play Store for Android devices. Many pieces of mobile malware rely on people installing potentially malicious apps from outside of legitimate app stores. People might install mobile apps using third-party sites or directly from a developer for many different reasons, and this puts them at additional risk, as many mobile malware authors target these apps.
Check Point researchers blogged about the Gooligan malware attack, which starts when someone installs an infected app from outside the Google Play Store. Once the Gooligan malware is installed, it connects to a command-and-control server and downloads a rootkit to take complete control of the vulnerable Android device. Once it has control, it steals the user's Google email account and authentication token, which enables it to access the user's other Google accounts, such as Google Photos, Google Docs and Google Drive.
However, instead of stealing user account data, the malware downloads additional apps from the Google Play Store and leaves positive reviews for them in order to generate ad revenue for the attacker.
To protect your Android device from the Gooligan malware, only install apps from the Google Play Store, and do not approve app installations unless they are from the Google Play Store or an enterprise-approved third-party store. Users may want to periodically check to see if new apps were installed on their devices to make sure they didn't accidently install something malicious, and should use Check Point's Gooligan Checker to see if their account has been compromised.
Users affected by Gooligan malware should follow Check Point's recommended recovery steps -- flashing the device's OS and changing their Google account password. This is in addition to installing updates on Android devices and for apps installed via the Google Play Store. Users whose Google accounts may have been compromised by any new apps can refer to Google's instructions for help with account recovery.
Learn how mobile app developers can work to reduce security risks
Find out how the Mazar Android malware can gain control over devices
Discover how a malicious app bypassed the Google Play Store's security
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
A new remote access Trojan called UBoatRAT was found spreading via Google services and GitHub. Learn how spotting command-and-control systems can ... Continue Reading
CyberArk researchers created an attack called Golden SAML that uses Mimikatz techniques and applied it to a federated environment. Learn more about ... Continue Reading
The use of botnets to spread Scarab ransomware intensifies the threat for enterprises. Discover the best way to respond to such a threat and protect ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.