Gooligan Malware Takes Over Android Devices at a Rate of 13,000 Per Day

Android devices are again the targets of malware. This one has been roaming the wild for a couple of years, but is showing up again, some would say “en masse.” Gooligan has been found in at least 86 malicious apps. Around 13,000 Android devices are being infected on a daily basis, according to the Israeli security company Check Point Software.

Again, these apps made it onto the various devices as a result of the owners sideloading them from PCs or other devices. Therefore, if you are known to do this, reconsider that and only download them from the official app store.

Some may not even know what operating system, which is what “Android” refers to, is on their devices. At a high level, if you are using a Google device such as the new Pixel smartphone or the Nexus tablet, it will most certainly be running Android. If you use a Kindle, an HTC, LG, or Samsung smartphone, it is also most likely using the Android operating system. If you don’t know what your devices are using as an operating system, find out.

Gooligan uses a type of malware called Ghost Push. Once it gets onto a device, it can do all kinds of things such as send annoying pop-up ads in an effort to get the user to install even more malicious apps, as well as get access to Google accounts that are associated with the user’s Google credentials. This is because a token is issued by Android that allows those devices to permanently, or mostly permanently, log into the device automatically. Therefore, Gooligan can pretend to be a user, submit 5-star reviews, and attract others to apps that distribute it. This is why it is so important to check reviews and do research on apps before allowing them on your devices. If there are only a few reviews and they are all glowing, maybe it’s a good idea to wait a while before downloading it. You want to see constructive reviews as well, not just a bunch of 5-star ratings.

Some good news is that it does not appear that Gooligan steals sensitive data. Google is also working hard to block Ghost Push. It has tracked more than 40,000 Ghost Push Apps and taken action against them. It has also been able to interfere with the command-and-control servers trying to distribute it.

Check Point has “Gooligan Checker” web page that supposedly allows users to see if their Google account has been compromised. A few of the affected apps are reported to be called StopWatch, Perfect Cleaner, and WiFi Enhancer and will exploit devices running Android 4.1-4.3 Jelly Bean, 4.4 KitKat, and 5.0-5.1 Lollipop. This is a good reminder to update all of your devices that are running older versions of Android and to keep them updated with the latest security patches. The most current versions of Android are 6.0 Marshmallow or 7.0-7.1 Nougat.

© Copyright 2016 Stickley on Security