Nov 30th, 2016

Malware scares are by and large common at this point, but a new concern has popped up that deseves some attention. Check Point, the security research team who has uncovered a lot of this stuff as of late, has discovered a new form of malware that they’re calling Gooligan.

Gooligan is based on the Ghost Push malware that came into prominence last year, where the malware installs a rootkit on the user’s phone and uses API tricks to hide itself from malware-busting checks. For this battle, Gooligan has taken on a form that gives it an ability to intercept Google account tokens from Google apps, which it then uses to inject code into Google Play Services to secretly download fraudulent apps.

It’s said that over 1 million Google accounts have been affected by this issue, but before you freak out let’s consider a few things:

  • Google says that the malware’s behavior is similar to the intent of other Ghost Push-based methods in that it’s only interested in using their capabilities to push apps and adware, and not necessarily stealing user data. For their part, they say no user data has been compromised on their end.
  • The issues affect Android 5.0 Lollipop and earlier, with Android 6.0 and higher being safe.
  • Even still, it’s unlikely that this malware made it through Google Play’s security platform, and Google says there’s no evidence of that, either.
  • As such, this issue likely affected users who get their apps from untrustworthy third-party app stores.

For those potentially affected, Google says they’ve already taken precautionary and reactionary methods, including revoking account tokens for those affected and using Verified Boot on newer platforms to ensure no illegal modifications have been made to the system partition. Beyond that, Google says they’re continuing to work with device manufacturers and service providers to keep as many devices updated as they can to ensure users are shielded from these sorts of attacks in their ongoing effort to strengthen internet security.