According to this article at Ars Technica and this one from Clark.com, attackers have compromised more than 1 million Google accounts using a new variant of the Ghost Push Android malware. The malware ‘roots‘ vulnerable devices to gain elevated access and then downloads and installs additional malware.
What do we know?
Based on the information that we have now, the malware affects Android versions 4 and 5 and is found in at least 86 apps hosted on third party marketplaces (e.g., not the Google Play Store). Though versions 4 and 5 of the Android operating system are a bit dated, they are still widely used in smart phones, tablets and a host of other devices. It’s worth noting that, by default, Android does not allow software to be installed from third party marketplaces.
What does the malware do?
Once compromised, the malware is able to access all of the Google apps on the account including Gmail, Photos, Docs, Play, Drive and others. Infected devices are also downloading apps from the legitimate Google Play Store and then artificially raising (or lowering) the reputation by rating the app as well as downloading adware to generate revenue for the attackers.
What can you do?
First, if your device is running Android 4 or 5, check for an update to a newer version (this may not be an option). Second, make certain that you do not allow software from unknown sources (Settings -> Security). Third, check to see if your account(s) has / have already been compromised. Checkpoint has created a free tool here. If your device(s) has / have been compromised, below is a quick checklist of what to do next:
- Re-flash your device – This can be done on the device itself by the user, third party technical support (like Cyber Tech Cafe) or by the carrier. It’s important to note that you’ll want a backup of any data (documents, pictures, etc.) that are stored on the phone, the restore process can delete data.
- Change your password – Change it on the affected account (whatever account(s) were on the affected device as well as anywhere else that you’ve used that password).
- Enable 2FA – This isn’t specifically applicable here but is worth noting nonetheless. Two-factor authentication basically uses two means to authenticate you rather than one (just a password). An easy way to think of multi-factor authentication is to use something that you know (a password) and something that you have (access to a mobile phone to receive an SMS message). Wikipedia has an excellent article on 2FA here.
Misc / Errata
- Ars Technica Article – http://arstechnica.com/security/2016/11/1-million-android-accounts-compromised-by-android-malware-called-gooligan
- Clark.com Article – http://www.clark.com/report-1-million-google-accounts-hacked
- CheckPoint Article – http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan
- Ghost Push – https://en.wikipedia.org/wiki/Ghost_Push
- Android Rooting – https://en.wikipedia.org/wiki/Rooting_(Android_OS)
- Free Gooligan Checker – https://gooligan.checkpoint.com
- Cyber Tech Cafe – https://www.cybertechcafe.net
- Wikipedia 2FA – https://en.wikipedia.org/wiki/Multi-factor_authentication