WavebreakmediaMicro - Fotolia
More than one million Google accounts had their security compromised by the Gooligan malware. Google updated Verify Apps in the Google Play Store to prevent users from installing apps infected with Gooligan. How did Gooligan breach these accounts, and what can be done to prevent tokens from being stolen?
Part of the standard security advice for mobile device users is to only install apps from approved app stores, like the Google Play Store for Android devices. Many pieces of mobile malware rely on people installing potentially malicious apps from outside of legitimate app stores. People might install mobile apps using third-party sites or directly from a developer for many different reasons, and this puts them at additional risk, as many mobile malware authors target these apps.
Check Point researchers blogged about the Gooligan malware attack, which starts when someone installs an infected app from outside the Google Play Store. Once the Gooligan malware is installed, it connects to a command-and-control server and downloads a rootkit to take complete control of the vulnerable Android device. Once it has control, it steals the user's Google email account and authentication token, which enables it to access the user's other Google accounts, such as Google Photos, Google Docs and Google Drive.
However, instead of stealing user account data, the malware downloads additional apps from the Google Play Store and leaves positive reviews for them in order to generate ad revenue for the attacker.
To protect your Android device from the Gooligan malware, only install apps from the Google Play Store, and do not approve app installations unless they are from the Google Play Store or an enterprise-approved third-party store. Users may want to periodically check to see if new apps were installed on their devices to make sure they didn't accidently install something malicious, and should use Check Point's Gooligan Checker to see if their account has been compromised.
Users affected by Gooligan malware should follow Check Point's recommended recovery steps -- flashing the device's OS and changing their Google account password. This is in addition to installing updates on Android devices and for apps installed via the Google Play Store. Users whose Google accounts may have been compromised by any new apps can refer to Google's instructions for help with account recovery.
Learn how mobile app developers can work to reduce security risks
Find out how the Mazar Android malware can gain control over devices
Discover how a malicious app bypassed the Google Play Store's security
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading