News Categories

Googligan, an Android OS malware, breached more than a million Google accounts

By Bryan Chan & Liu Hongzuo - on 1 Dec 2016, 12:56pm

Googligan, an Android OS malware, breached more than a million Google accounts

A new Android OS malware responsible for breaches to more than one million Google accounts has been discovered by cyber-security firm, Check Point. The malware has a global presence, and it steals user data found on Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.

Source: Check Point.

This malware, Googligan, strikes when an Android user installs an infected app on a vulnerable device. It can also attack after a user clicks on malicious links in phishing attacks. Once a phone is infected, Googligan will download a rootkit from their attacker’s servers – this rootkit can exploit weaknesses in Android OS 4.0 or 5.0 devices. A successful rooting will grant the attacker full control and privileged access to the infected phone. Googligan will then get to work by injecting code to mimic user behavior in order to avoid detection, while it does the following:

  • Steal a user’s Google email account and authentication token information
  • Install apps from Google Play and rate them to raise their reputation
  • Install adware to generate revenue

According to Check Point, 57 percent of the one million breached accounts are located in Asia – the rest are spread across the Americas, Africa, and Europe at 19 percent, 15 percent, and nine percent respectively. The Googligan malware has the potential to infect vulnerable Android OS 4.0 (Jelly Bean) and 5.0 (Lollipop) devices, which makes up more than 74 percent of Android in-market devices as of last month. Gooligan’s code first appeared in July 2015, before undergoing various changes to reach its current August 2016 iteration.

Here’s the list of infected apps and more information about the Googligan malware.


Am I affected?

Go to this URL to check if your Google account has been breached by entering the e-mail address associated to your Android OS device.

Currently, the only option for breached users is to flash the operating system on their infected device. Check Point recommends unfortunate users to seek out a certified technician to do a clean OS installation on the phone, and to change Google account passwords after the flashing process.


Source: Check Point (blog), BGR