Gooligan on a rampage! | Forensic 101
Researchers at Check Point Technologies have revealed that a malware, called “Gooligan” has targeted authentication tokens to breach data from several Google-developed software including Gmail, G-Suite, Drive, Photos, Docs, Google Play and more. The malware typically affects older Android devices – that are running on Jelly Bean or Kitkat (Android 4) or Lollipop, Android 5 and its subsequent variants compromising 13000 Android devices everyday.
How does Gooligan work?
Once the infected app/third party app is installed it sends data about the device to the campaign’s Command and Control (C&C) server. From there a rootkit is downloaded on the device. The rootkit then gives the hacker full control of the device, who can then run “privileged commands remotely,” and steal authorised tokens which bypasses the need for a two-factor authentication. Gooligan also injects a new “malicious module” into Google Play, which allows it to steal email data, install app from the Store and raise their ranking, install adware, etc. Check Point found how victims had left ratings, reviews for some apps even when they had no knowledge of installing the app.
Check Point researchers have concluded by stating:
Android devices running on 4 and 5 total a staggering 74% of all Android devices in use today, with 57% of those devices located in Asia, 19% in the Americas and about 9 % in Europe. Gooligan has breached over a million Google accounts. We believe that it is the largest Google account breach to date.
