Endpoint

11/30/2016
04:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Androids Under Attack: 1 Million Google Accounts Hijacked

Two separate attack campaigns were discovered targeting Androids - one that roots them and gains access to Google Gmail, Docs, Drive, accounts and another that steals information and intercepts and sends messages.

Android devices are in the crosshairs with two separate but deadly attack campaigns that wrest control of the devices and include clues that suggest links to China.

Researchers at Check Point Software Technologies say they have uncovered a new malware variant called Gooligan that to date has hacked one million Google accounts worldwide by rooting the user's Android device, at an alarming rate of some 13,000 devices per day. Among Gooligan's victims are hundreds of email addresses tied to enterprise accounts.

The malware, a new version of the SnapPea downloader discovered in 2015, attacks Android 4 (Jelly Bean, KitKat) and Android 5 (Lollipop) devices, which make up nearly three-quarters of all Androids in use today. Once installed on the victim's device, the malware steals email addresses and stored authentication tokens, giving the attackers access to the user's Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite accounts and information.

"Putting Android aside, from what we have been able to search [and research], this is probably the biggest compromise of Google accounts, mobile or non-mobile," says Michael Shaulov, head of mobile products at Check Point. "Clearly, this is an escalation" of attacks against mobile devices as well, he adds.

While 57% of the infections are in Asia, there's a conspicuous lack of any infections in China, he notes. The attackers make money via click-fraud, according to Check Point's findings.

"After rooting the device and stealing the user’s Google account email and authentication token, Gooligan is capable of mimicking user behavior to tap on ads for legitimate applications on Google Play. Once the app is installed, the attacker is paid by the ad service for the successful installation," Shaulov says.

The second attack campaign, which was discovered by Palo Alto Networks Unit 42 research team, exploits Android's plug-in technology by camouflaging its elements as plugin apps, which don't require actual installation on the device. The so-called PluginPhantom Trojan pilfers files, location data, contacts, and WiFi information from the device, and can also take pictures, capture screenshots, record audio, intercept and send SMS messages, and act as a keylogger.

Ryan Olson, intelligence director of Unit 42, says his team doesn't know how many Androids have fallen victim to PluginPhantom nor their geographic locations, but there is a China connection of sorts. "The location information being translated to coordinate systems used by Baidu Maps and Amap Maps, the top two navigation apps in China, is highly suggestive of a China connection," Olson says. "But our focus in this posting is on the ways in which this malware shows malware authors using current development methods and technologies to 'improve' their malware."

While mobile vulnerabilities and malware – mainly for Android – have been rampant in recent years, actual widespread attacks haven't been a reality for enterprises. Desktop and office endpoints are still too easy a target in many cases. But these latest Android attacks are significant in their size and scope of compromise.

"This thing [Gooligan] both infects a mass amount of users and actually steals the crown jewels to the accounts to compromise their Google services: email, photos, documents," for example, Check Point's Shaulov says.

"I think that this, in terms of in-the-wild [attacks], is something we've never seen before," he says.

Mobile devices are just one of an increasing number of Internet things that can be used as a stepping-stone to attacking businesses and others, says Dimitri Sirota, CEO of BigID. "There are just so many places of exploit where information is getting collected. I think there's going to be a lot more opportunity for hijacked [devices] to capture personal information. Mobile devices are just one of those places."

Some 60% of employees use at least one personal mobile device to access corporate data, according to new data from Ovum that demonstrates the difficulty in reining in corporate data access via mobile.

What Google Said

Meanwhile, Google said that it has been beefing up the Android environment and had worked with Check Point on responding to Gooligan. "We appreciate Check Point's partnership as we’ve worked together to understand and take action on these issues. As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall," Adrian Ludwig, director of Android security at Google said in a statement.

Check Point's Shaulov says it's unclear and unnerving as to why the Gooligan attackers are storing so much personal data in their databases. The malware installs some 30,000 apps daily on infected devices, which comes to about 2 million apps total to date. Victims are infected when they download and install a malicious app from a third-party Google app store or click an infected link in an email message.

PluginPhantom, meanwhile, is a new variant of Android.Trojan.Ihide. "In the new architecture, the original malware app is divided into multiple apps (plugin apps) and a single app (a host app). The host app embeds all plugin apps in resources, which implement different functional modules," Unit 42 said in a blog post today. "After victims install the host app, it can directly load and launch plugin apps without installing plugin apps, by abusing the legitimate open source plugin framework – DroidPlugin [2]."

Unit 42's Olson says his team isn't sure of the ultimate goal of the attack. "We can’t know the attackers’ intentions for certain, but the broad capability of the samples we’ve analyzed show how the lines between cybercrime and spying continue to blur. For example, being able to secretly record conversations using the camera and microphone like this has application for both realms."

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hieuhuule
100%
0%
hieuhuule,
User Rank: Apprentice
12/1/2016 | 9:32:25 AM
Who is a victim?
How do you know if someone is a victim?  I haven't downloaded anything for a third-party or clicked a suspicious email link, that I can remember.  But my enitre life is pretty much in my Google account so I'm definitely concerned.
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.