An IT security firm Check Point Software Technologies who are well known for firewalls and other It security products have found malware applications in the Android marketplace which have compromised more than 1 million Google accounts. The majority of these would be free personal email accounts “ @gmail.com” however many others are said to be organisation email accounts used by G Suite (formally known as Google Apps) posing a huge threat to organisations data.
Check Point have labelled the malware as Gooligan which has been found in at least 86 apps available in third-party marketplaces. Once a user installs an app containing this malware, it uses a process known as rooting to gain highly privileged system access to devices running version 4 (Ice Cream Sandwich, Jelly Bean, and KitKat) and version 5 (Lollipop) of an Android mobile phone, tablet or other device.
Once the device is compromised it then download and install software that steals the authentication tokens that allow the phones to access the owner’s Google-related accounts without having to enter a password. This allows cybercriminals to access many of the Google Services on that device including Gmail, Google Photos, Google Docs & sheets, Google Calendar, Google Drive, Google Keep and other applications as part of G Suite.
If your organisation uses G Suite, then staff may have compromised your business data in Google Drive or Gmail, so you should act to rectify the situation.
Check Point published a blog with their discoveries, informing the public that:
“The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device. Our research team has found infected apps on third-party app stores, but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages. After an infected app is installed, it sends data about the device to the campaign’s Command and Control (C&C) server.
Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153). These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.
After achieving root access, Gooligan downloads a new, malicious module from the C&C server and installs it on the infected device. This module injects code into running Google Play or GMS (Google Mobile Services) to mimic user behavior so Gooligan can avoid detection, a technique first seen with the mobile malware HummingBad. The module allows Gooligan to:
Steal a user’s Google email account and authentication token information
Install apps from Google Play and rate them to raise their reputation
Install adware to generate revenue
Ad servers, which don’t know whether an app using its service is malicious or not, send Gooligan the names of the apps to download from Google Play. After an app is installed, the ad service pays the attacker. Then the malware leaves a positive review and a high rating on Google Play using content it receives from the C&C server”
Director of Android Security Adrian Ludwig said he and other Google officials have worked closely with Check Point over the past few weeks to investigate Gooligan and to protect users against the threat it poses. He said:
“We’ve taken many actions to protect our users and improve the security of the Android ecosystem overall,” Ludwig wrote. “These include: revoking affected users’ Google Account tokens, providing them with clear instructions to sign back in securely, removing apps related to this issue from affected devices, deploying enduring Verify Apps improvements to protect users from these apps in the future and collaborating with ISPs to eliminate this malware altogether.”
Who is affected
Gooligan potentially affects devices on Android 4 and 5, which is over 74% of in-market devices today. About 57% of these devices are located in Asia (including Australia)
Image from http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/
How do you know if your Google account is breached
You can check if your account is compromised by accessing the following web site that we created: https://gooligan.checkpoint.com/.
Simply enter email address and it will advise if your account is breached or not. (you can trust entering your email address with CheckPoint, they are the good guys, I can vouch for their products)
If your account has been breached, the following steps are required:
- Backup all your data on your android device, especially photos. (not including applications as some may be compromised)
- A clean installation of an operating system on your mobile device is required (a process called “flashing”). As this is a complex process, we recommend powering off your device and approaching a certified technician, or your mobile service provider, to request that your device be “re-flashed.”
- Change your Google account passwords immediately after this process.
How to protect your G Suite organisation from these threats
As BYOD (Bring Your own Device) is very popular for employees these days, IT departments or small business owners need to put measures in place to protect their company data on staff mobile devices.
Here are a few recommendations to protect your organisation’s data.
- Enforce 2-step authentication for all Google account. 2-step authentication prevents cybercriminals from logging into your Google account if your email address & password is compromised like in the example above as they require an additional code which is often a sms sent to your mobile. Read more here http://www.onsitehelper.com/blog/99-2-step-authentication
- Use Device Management in G Suite admin control panel to allow/deny staff access to G Suite on their mobile devices. Also enforce password policies to protect the allowed devices. Read more here https://support.google.com/a/answer/1734200?hl=en
- Setup Chrome management to only allow approved application & extensions to be installed on Chrome webstore. Perform thorough research and testing on Chrome & Android apps before you put it on the allowed list for staff to install on their Chrome browser or Android device. Read more here https://goo.gl/ZqErfl
- Implement a 3rd party backup of your G Suite accounts to protect your data. We partner with Spanning backup & Backupify to protect our clients G Suite accounts. Read more here http://www.onsitehelper.com/blog/108-the-importance-of-backups-particularly-when-using-cloud-based-applications/