Over 1 Million Google Accounts Breached via Malicious Android Apps
The attack campaign, dubbed Gooligan, has breached the security of over one million Google accounts and is still growing
at a rate of 13,000 new infections each day. Googlian is a variant of the Ghost Push malware family of hostile
downloaders which download apps onto infected devices without the user’s permission. Google announced on their blog (link is external) that they they’ve been working the past few weeks to investigate and help protect users against this threat. As a
result, Google has already removed the offending apps from the Google Play Store. In addition to removing the malicious
apps, Google is also notifying affected accounts and revoking affected authorisation tokens.
How is the Malware Transmitted?
The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device. This can
happen in various ways, downloading an infected app from a third party app store, tapping malicious links in phishing
attack messages either through SMS text messages or other online messaging services, and via phishing emails.
The devices affected are phones that are running Android 4 (Jelly Bean, KitKat) and 5 (Lollipop).
Protecting Against Ghost Push Malware
This just pushes the point further that mobile devices need security software more than ever. This malware is easily
spread to unprotected phones – all the user needs to do is tap on one bad link and they are exposed. This is also where
software updates play a key role in security, as these attacks are using unpatched vulnerabilities on users phones.
If your account has been breached, the following steps are required:
• The only way to completely remove this malware from an infected device is to do a clean installation of the
operating system. This is a complicated process, and you may want to go to your mobile carrier and have them perform the
installation.
• Change your Google account passwords immediately after you have the OS reinstalled.
For more information or to speak to a Symantec spokesperson please contact Veronica Rojo at veronicar@botica.co.nz or visit the Symantec Security Response blog post available here.
ends