After thorough research performed by our mobile threat prevention (MTP) partner, Check Point, a new and alarming type of malware campaign has been identified. Known as Gooligan, this malware is used to generate ad revenue on the Android platform. Check Point noted that as of the end of November, Gooligan had breached the security of more than one million Google accounts, with an additional 13,000 devices being impacted each day.

A new variant of the Android malware campaign Check Point identified in the SnapPea app last year, Gooligan works by rooting infected devices and then stealing authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive and more. Upon identification, Check Point notified Google Security of the malware and the two worked closely to investigate the source of the campaign.

How the Gooligan Campaign Works
Source: Check Point Blog, Nov. 30, 2016

According to Check Point, Gooligan potentially affects devices on Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), or roughly 74% of in-market devices today. Of these devices, 57% are located in Asia, 19% in the Americas, 15% in Africa and about 9% in Europe.

Google has since taken several steps to ensure Android is as secure and safe as possible, revoking compromised tokens to prevent the malicious actors from using these to generate additional ad revenue. Google also made changes to ensure similar software is not distributed through the Google Play Store. However, individual users can access the following website Check Point created to determine if an account has been compromised:  https://gooligan.checkpoint.com/. If an account has been breached, follow these steps to address the issue:

  1. A clean installation of an operating system on the mobile device is required (a process called “flashing”). As this is a complex process, we recommend powering off the device and approaching a certified technician, or the mobile service provider, to request that the device be “re-flashed.”
  2. Change the Google account passwords immediately after this process.

To protect your business and its users, our partners from AirWatch recommend the following:

  1. Enable root detection on your Android devices.
  2. Encourage your Android users upgrade to the latest versions of the operating system (OS) available.
  3. Encourage users to download applications from trusted application stores, like the Google Play Store, where Google blocks malicious apps through a number of steps, including verified apps, malware scanning, manual review and more.
  4. Educate your end users on the importance of running the most recent versions of mobile operating systems. Encourage them to install all security patches as they become available.
  5. Consider partnering with the MTD partners in theVMware Mobile Security Alliance (MSA) community to provide additional levels of mobile security.

If you have any questions about how to implement these steps, contact our team for help.