Tis’ the season for malicious malware!
Security firm Check Point on Wednesday November 30th 2016, has uncovered an advertising fraud scheme named Gooligan. A variant of an Android malware campaign found by Check Point researchers in the SnapPea App in 2015, it infects Smartphones and tablets, stealing logins and passwords using its built in keylogger.
Thus the hackers gain access to the following:
- Google Play
- Google Photos
- Google Docs
- G Suite
- Google Drive
- Programs accessed using a Google Account
Already some 1,000,000 customer have been infected, with 50% of them in Asia alone.
So what exactly is Gooligan? And how bad is it, anyway?
Check Point warns of Gooligan – How Gooligan Works
Gooligan, a Trojan horse type of attack malware, also belongs to a family of malware called Ghost Push.
The infection begins when a user downloads and installs a Gooligan-infected App form a third-party App Store or even the Google Play Store. The infected App sends data about the device to the campaign’s Command and Control (C&C) server. Names of the malicious Apps include:
- Perfect Cleaner
- WiFi Enhancer
Gooligan then downloads a rootkit from the C&C server. This rootkit exploits the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153) in Android 4.0 IceCream Sandwich and Android 5.0 Jellybean. These exploits still exist due to Android Fragmentation which I’d pointed out in Why Android Fragmentation Worsens as Apple iOS 8 adoption almost complete.
Once installed, these Apps automatically forces your smartphone to install other Apps that have keylogger in them, stealing usernames and passwords to post fake reviews. This is basically advertising fraud and has already infected some 1,000,000 devices at a rate of 13,000 devices per day.
Soon, the hackers have full control of the device and can remotely execute commands as if they held you smartphone or tablet in their hands. They can even download further rootkits that infect Google Play or GMS (Google Mobile Services) to mimic user behavior.
This makes it harder to detect, a signature trait of another mobile malware HummingBad. The malicious software is embedded in legitimate Apps for Android smartphones and tablets. Removing the rootkits basically requires reinstall a fresh copy of Android on your Device.
What worse, albeit the Googligan Apps come from third-party App stores and not the Google Play store, Check Point claims that some of the Gooligan Apps come from the Google Play store. Android users can check if their account had been compromised or not by visiting Check Point’s website: http://gooligan.checkpoint.com/.
Developers prey to Hackers offer of Traffic – AI will make Apps obsolete
Apparently the makers of the Gooligan App are cashing in on their success by signing up App Developers desperate to get people to download their App.
Developers, feeling the burn, are making a desperate grab for a marketshare that mostly just uses WhatsApp and plays Candy Crush Saga all day. US$320,000 a month is what these hackers are making from Gooligan, as many App Developers are willing to pay these hackers, most likely using bitcoins via the Dark Net, to get their Apps downloaded and generate traffic to make revenue as explained in Smartphones and Apps – Freemium Games are No. 1.
Americans are no longer crazy about downloading their well-crafted Apps; Social Media and Games occupies their free time as they try to conserve on megabytes. Still, with some 1,000,000 devices infected, this may be the single largest hack in the history of Google Android.
The writing is on the wall for App Developers as this is a sign of their desperation; AI is taking over in 2017, as Apps are so 2016.
Like the post above? Check out these related posts: