A new malicious threat known as Gooligan has been to attack over a million of Android devices and infects thousands of new hosts daily.
The Gooligan Malware is A Serious Danger To All Android Users
A new Android malware known as Gooligan has been identified by security experts from Check Point Security. According to their analysis the recent malware campaign that served the virus has breached the security of over one million Google users. The rising rate of infections shows that 13 000 new breaches are carried out every day.
The malware has the capability to “root” the infected devices, steal various authentication tokens which are used for accessing various services such as Google Play, Gmail, Google Photos, Google Docs, Google Suite, Google Drive and others.
The Gooligan malware affects Android devices that run version 4 (Jelly Bean and Kitkat) and 5 (Lollipop) which is the majority of the market share of the operating system. About 57% of the compromised installations are in Asia and only about 9% are in Europe.
The infections were made through numerous counterfeit applications which were distributed in third-party repositories and various download sites.
The first samples of Gooligan were identified in code snippets that were featured in a malicious app called SnapPea. The code was updated by malware developers and new features were added. The new Gooligan threat has a complex architecture that uses code injection attacks into the system processes of the Android operating system. Other than third-party repositories the Gooligan malware can also be downloaded by clicking on malicious links found in spam emails sent by the hackers.
Upon infection the malware gathers data about the compromised devices and sends it back to the remote malicious C&C servers. The Gooligan virus then proceeds to download a rootkit which uses various exploits to root the device. When this achieved the hackers achieve full control of the device making privileged remote code execution possible.
However Gooligan doesn’t stop there. The malware can downloade new modules from the servers and installs them on the compromised machines. They are placed on the Android devices using code injections in the Google Play or Google Mobile Services processes. They allow the virus the following capabilities:
- Steal the user’s associated Google account and authentication token data
- Install various applications from the Google Play repository and rate them to raise their reputation
- Install additional adware and malware for additional income gain
Similar to other attacks this malware also uses fake device identification information such as the IMSI and IMEI numbers to download twice various applications. This is a widely used strategy to double the potential income gain that is agreed between the malicious ad marketers and the criminals.
The security experts have immediately notified Google about the threat and the company is working on security updates that will amend the issue.
List Of Gooligan Infected Apps
Here is the full list of Android apps that are infected with the Gooligan malware:
Small Blue Point
Puzzle Bubble-Pet Paradise
Wifi Speed Pro
Sexy hot wallpaper
Talking Tom 3