Ghost Push Returns with the Biggest Ever Theft of Google Accounts – Over 1 Million Accounts Hit

Rafia Shaikh
Posted Nov 30, 2016
100Shares
Share Tweet Submit

Researchers have discovered a new family of malware that targets Android devices. The Android malware has affected over 1 million Google accounts so far, having compromised hundreds of enterprise users.

Meet Gooligan – an Android malware that could infect over a billion devices

Another day, another Android security catastrophe? Appears so. Researchers at security firm Check Point Software Technologies have uncovered a new malware family that has evolved from Ghost Push, which they are calling Gooligan. An aggressive variant of Ghost Push, this Android malware is feared to be responsible for the biggest single theft of Google accounts, recorded as yet. Gooligan strain has infected nearly 1.3 million Android phone since August, stealing data and forcing users into downloading apps as part of a malvertising scheme.

The process starts when a user visits a compromised website, where users are encouraged to download software to get access to content. At least 86 apps available in third-party app stores have been found carrying the Gooligan malware strain. Once installed, the infected apps root the devices to gain system access of devices. The rooted devices then download and install a software that steals authentication tokens. These tokens allow the attackers to access the user’s Google-related account without having to enter a password. The tokens work with a number of Google services, including Docs, Gmail, Drive, and Photos.

But the primary focus of the malware seems to be yet another massive advertising campaign. The group responsible for the Android malware strain is believed to have earned as much as $320,000 a month. Gooligan is also spreading at an alarming rate since the start of November, infecting an average of 13,000 new devices every day.

The Murky World of "Unknown Sources" Accounts for Majority of Android Malware Installations

Researchers have said the malware affects devices going back to Jelly Bean, and as latest as Lollipop. Android 6 Marshmallow and Android 7 Nougat aren’t believed to be vulnerable to this malware family. However, thanks to sluggish Android adoption rate, at least 74% of all Android users are at risk, making up around 1.03 billion devices.

Google says “no evidence of user data access”

Check Point was able to trace the attackers’ servers, uncovering 1.3 million real Google accounts, with hundreds of business accounts having hit too. They also said that over 30,000 apps were being downloaded every day by the infected devices. It should be remembered that we have previously seen a number of multi-million leaks of Google accounts that were later proven to be false.

Android security engineer Adrian Ludwig said the team was working closely with Check Point to investigate the Android malware family and to protect users. Ludwig claimed there was no evidence data was accessed from the compromised accounts, adding that users would receive a warning when such a malware strain was detected on their devices.

“We’ve taken many actions to protect our users and improve the security of the Android ecosystem overall,” Ludwig wrote this Wednesday morning. “These include: revoking affected users’ Google Account tokens, providing them with clear instructions to sign back in securely, removing apps related to this issue from affected devices, deploying enduring Verify Apps improvements to protect users from these apps in the future and collaborating with ISPs to eliminate this malware altogether.”

As a rule, users are advised not to download apps from third-party marketplaces. If you did, you can visit this link to confirm if the associated Google account has been compromised. In case your account has been hit, change your Google password immediately. Researchers have also recommended to do a clean installation of Android on your infected phone.

Share Tweet Submit