Android Malware Hits One Million Users

John Lister's picture

Bogus Android apps have helped hackers seize control of more than a million Google accounts in the past few months according to a security company. The apps have also been posting fake online reviews in the names of victims.

The attack involves malware that's been dubbed "Gooligan." It's particularly concerning because of the sheer amount of personal data a hacker could theoretically access if they can use somebody's Google accounts, such as their email messages and any files stored on Google Docs and Drive.

The malware affects devices running versions 4 and 5 of the Android operating system, known also as Jelly Bean, KitKat or Lollipop (with Marshmallow [6] and Nougat [7] being the latest versions). Although versions 4 and 5 are older editions of the Android operating system, they are still popular on cheaper handsets that can't be updated. Checkpoint, the security firm that identified Gooligan, says 74 percent of Android phones and tablets used today are running one of these systems. (Source: checkpoint.com)

Third-Party Apps Provide Attack Route

The hackers took advantage of what's both a benefit and drawback of Android - namely it's open nature. Gooligan takes hold through rogue apps that aren't distributed through the main Google Play store, but rather through third-party stores.

With Android, users can specify if they would like to allow third-party downloads that do not originate from the Google Play (app) store. In this case, it's possible to later grant permission for a third-party download on a website offering up apps; in some cases, it's reported that victims of Gooligan may have unintentionally installed apps by clicking on links in bogus text messages. Once installed, Gooligan takes advantage of known security flaws in older editions of Android where either the user hasn't installed a fix, or where one isn't available for their handset.

Bogus Downloads Rake In Cash

Rather than mischief making (such as distributed denial of service attacks), Gooligan is all about making money. It takes advantage of the fact that many apps on Google Play are free; instead of users paying for an app, developers will instead insert advertisements - often recommending third-party apps on Google Play. When a user installs a third-party app (based on a recommendation), the aforementioned app developer gets paid a commission.

The way Gooligan makes its cash is by simulating the user selecting a link to install an app, with the people behind Gooligan then claiming the commission. In many cases it will falsify the information it provides to make it look like the download is happening on multiple devices, and claim multiple commission payments. It even uses the device's Google account to post bogus reviews for the app in question.

The good news is that to date it appears the hackers are more interested in the bogus downloads and reviews than in accessing other areas of a user's Google accounts. Google says it is contacting known victims to help them regain uncompromised access to their accounts. (Source: google.com)

What's Your Opinion?

Is it possible to prevent attacks such as this without undermining the open nature of Android? Should manufacturers set up devices so they can't install apps other than through Google Play? Or is it up to users to take responsibility if they choose to use third-party app stores?

Rate this article: 
Average: 5 (6 votes)

Comments

Dennis Faas's picture

Remember when people said "Mac's and Linux can't have malware or viruses"? Well, Mac (and iPhone) are based on Linux, and so is Android. The only reason these machines / devices weren't targeted in the past (so much) is because it was not as profitable compared to Windows. Now we have a much different picture than we did 10 years ago, with very sophisticated malware attacking Android (Linux) and iOS devices, carrying out targeted attacks and raking in cash. The point is, attack vectors are possible so long as there is money to be made. No operating system is perfect - bugs will be discovered, and exploits will be patched (or not) - and that will never change.