Latest Android-Targeted Malware Prompts Warnings From Security Companies
Security companies used the news of the Gooligan malware attack revealed Wednesday by Check Point Software as an opportunity to remind consumers of the dangers in connected ecosystems and linked accounts. The attack breached the security of more than a million Google accounts, said a Checkpoint blog post, and is spreading to 13,000 breached devices a day.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Gooligan malware roots in infected devices and steals authentication tokens that can be used to access data from properties including Google Play, Gmail, Google Photos and Google Docs, said Check Point. It’s a new variant of an Android malware campaign Check Point found in the SnapPea app last year, it said.
Software security company Tripwire said researchers have found the Gooligan malware in at least 86 apps available in third-party marketplaces. “Gooligan is yet another reminder that using third party app stores carries significant risk,” said Tim Erlin, Tripwire senior director-IT security and risk strategy. “The more that we centralize our data into a single account with Google, Apple, Microsoft or others, the greater risk a compromise of those accounts presents.” When data is all in one place, “that’s where the attackers will go,” Erlin said.
The Android platform is an “easier target for cyber villains” than trying to penetrate security protecting Apple’s iOS, said Thomas Pore, director-IT and security for security analytics company Plixer International. Android users “inherently take on additional risk” than iOS users “purely based on application security vetting,” said Pore. Apple and Google both do well at vetting apps for security, Pore said, but “it’s much easier to install a third-party application within Android that has not gone through a vetting process." That makes Android users “a much easier target for compromise.”
Google’s security team has been tracking since 2014 a family of malware called “Ghost Push,'” one of a group of “Potentially Harmful Apps” (PHAs) known as “hostile downloaders,” the company emailed us in a statement attributed to Adrian Ludwig, Google+ director-Android security. The apps are “most often downloaded outside of Google Play and after they are installed, Ghost Push apps try to download other apps,” said Ludwig. Google has been using Verify Apps to notify users before they install a PHA and let them know if they’ve been affected by this family of malware, Ludwig said.
Ghost Push has continued to evolve. Last year alone, Google found more than 40,000 apps associated with Ghost Push, said Ludwig, and its systems “detect and prevent” installations of more than 150,000 of its variants. “Several Ghost Push variants use publicly known vulnerabilities that are unpatched on older devices to gain privileges that allow them to install applications without user consent,” said Ludwig, saying Google has been working with Check Point to protect users from variants such as Gooligan.
There is no evidence of user data access as a result of Gooligan, said Ludwig, and no evidence that specific users, enterprises or groups were targeted. Ghost Push is opportunistically installing apps on older devices. Verified Boot, which is enabled on newer devices, “prevents modification of the system partition” and allows users to remove Ghost Push, he said. Device updates can also help mitigate risks, he said.
Google has acted to protect users and improve the security of the Android ecosystem. Ludwig said such steps include revoking affected users’ Google account tokens, instructing them how to sign back in securely, removing apps related to malware from affected devices, deploying the Verify Apps improvements and collaborating with ISPs to eliminate the malware.