An Android vulnerability has affected over one million users

Over one million Google accounts hacked by Gooligan

Image credit: Intel Free Press

A new Android malware dubbed the Gooligan has enabled hackers to steal data from more than one million Google accounts, gaining access to authentication tokens that can be used to access Google Drive and Gmail.

The breach has been uncovered by cyber-security firm Check Point Software Technologies, which first detected the vulnerability last year in the SnapPea app.

The malware affects devices running Android 4 (Jelly Bean and KitKat) and 5 (Lollipop) through several dozen apps including the game Snake, Google and Weather.

The vulnerable Android versions are being run by 74 per cent of currently used Android devices.

Check Point Software Technologies said that 13,000 additional devices are being infected every day, with the majority of those in Asia.

The company alerted Google, which said it started taking steps to notify owners of affected accounts and revoking insecure tokens.

In a blog post on its website Check Point Software Technologies provides a list of affected apps as well as instructions on how to check whether a device has been infected. If Gooligan is found on the device, the user needs to completely reinstall the system.

Many of the affected applications are being sold through free app stores that offer free versions of apps that otherwise have to be paid for.

The researchers said the malware simulates clicks on app advertisements provided by legitimate ad networks and forces the app to install on a device. An attacker is paid by the network when one of these apps is installed successfully.

Logs collected by Check Point researchers show that every day Gooligan installs at least 30,000 apps fraudulently on breached devices, or over two million apps since the campaign began.

Similar to HummingBad, the malware also fakes device identification information, such as IMEI and IMSI, to download an app twice while seeming like the installation is happening on a different device, thereby doubling the potential revenue.

In the industrial cyber space, cyber security researchers have warned of a destructive computer virus known as Shamoon, which has once again been seen in action this month.

According to researchers from Symantec and Crowdstrike, Shamoon, which had wiped out systems of energy companies in the Middle East four years ago, was discovered in Saudi Arabia again this November.

Shamoon acts by wiping the master boot records of affected computers. In 2012, attackers used the virus to leave images of a burning US flag on machines at Saudi Aramco and RasGas.

The new attack, reported on Thursday 17 November, wiped out disks of an unnamed company.

“Why Shamoon has suddenly returned again after four years is unknown,” the Symantec Security Response team said on its blog. “However, with its highly destructive payload, it is clear that the attackers want their targets to sit up and take notice.”

The Saudi business week ends on Thursday, so it appears to have been timed to begin after staff left for the weekend to reduce the chance of discovery and allow maximum damage.

“The malware had potentially the entire weekend to spread,” Palo Alto researcher Robert Falcone said in a blog post.

Infection with viruses such as Shamoon is costly for businesses as restoring the wiped-out systems is usually quite expensive.

The 2012 Shamoon attacks were likely conducted by hackers working on behalf of the Iranian government, said CrowdStrike chief technology officer Dmitri Alperovitch.

It is too early to say whether the same group was behind Shamoon 2, he said. The motive of the recent attacks was also not immediately clear.

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them