Android is undoubtedly one of the most vulnerable operating systems for smartphones with hackers developing new Android malware every 17 seconds.
To prove the point researchers have exposed a malware campaign known as “Gooligan” that has been targeting Android users and so far has breached more than 1 million Google accounts of users around the world.
The attack was discovered by researchers at IT security firm CheckPoint who detailed that Gooligan attack is so massive that it is breaching 13,000 Android devices per day and stealing Google accounts including Gmail, Google Drive, Google Docs, Google Play, Google Photos, G Suite and several other services provided by the technology giant.
How does Gooligan attack infects Android devices?
Researchers have found several Gooligan-infected apps on third-party stores.
Upon installing them, the malware collects data about the device and downloads its rootkit.
It then roots the device, downloads its own module and steals authentication tokens that are used to hack Google accounts.
However, researchers have warned that hackers can also target users with phishing emails carrying Gooligan-infected infected links.
Once the victim installs that app, Gooligan gains root permissions and replaces the original app by conducting a privilege escalation attack similar to rooting apps like Towelroot and Kingroot or even malware like Godless and HummingBad.
The Gooligan attack that takes advantage of multiple Android 4 (Jelly Bean, KitKat) and 5 (Lollipop) exploits including the well-known VROOT (CVE-2013-6282) and Towelroot(CVE-2014-3153) and sends data to its Command and Control (C&C) server.
While explaining what are these exploits, CheckPoint stated that:
“These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user.
If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.”
Another astonishing fact about Gooligan is that it also installs adware on an infected device in order to earn revenue from user’s online activities.
That’s not all, the malware also rates itself on Google Play Store to increase its reputation so other users can be tricked into downloading this app and cyber criminals can continue with their scam.
CheckPoint has already reported the attack to Google about the massive scam attack and both firms are working together to fix the issue and cancel the authentication token stolen during Gooligan attack but looking at the pace of this attack, it is clear that it is spreading like a wildfire and may take a while for Google to solve the issue and release an update.
“Gooligan has breached over a million Google accounts. We believe that it is the largest Google account breach to date,” says CheckPoint.
If you are an Android user; here is a list of Gooligan malware-infected apps which should be avoided on your smartphone.