Endpoint

11/30/2016
04:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Androids Under Attack: 1 Million Google Accounts Hijacked

Two separate attack campaigns were discovered targeting Androids - one that roots them and gains access to Google Gmail, Docs, Drive, accounts and another that steals information and intercepts and sends messages.

Android devices are in the crosshairs with two separate but deadly attack campaigns that wrest control of the devices and include clues that suggest links to China.

Researchers at Check Point Software Technologies say they have uncovered a new malware variant called Gooligan that to date has hacked one million Google accounts worldwide by rooting the user's Android device, at an alarming rate of some 13,000 devices per day. Among Gooligan's victims are hundreds of email addresses tied to enterprise accounts.

The malware, a new version of the SnapPea downloader discovered in 2015, attacks Android 4 (Jelly Bean, KitKat) and Android 5 (Lollipop) devices, which make up nearly three-quarters of all Androids in use today. Once installed on the victim's device, the malware steals email addresses and stored authentication tokens, giving the attackers access to the user's Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite accounts and information.

"Putting Android aside, from what we have been able to search [and research], this is probably the biggest compromise of Google accounts, mobile or non-mobile," says Michael Shaulov, head of mobile products at Check Point. "Clearly, this is an escalation" of attacks against mobile devices as well, he adds.

While 57% of the infections are in Asia, there's a conspicuous lack of any infections in China, he notes. The attackers make money via click-fraud, according to Check Point's findings.

"After rooting the device and stealing the user’s Google account email and authentication token, Gooligan is capable of mimicking user behavior to tap on ads for legitimate applications on Google Play. Once the app is installed, the attacker is paid by the ad service for the successful installation," Shaulov says.

The second attack campaign, which was discovered by Palo Alto Networks Unit 42 research team, exploits Android's plug-in technology by camouflaging its elements as plugin apps, which don't require actual installation on the device. The so-called PluginPhantom Trojan pilfers files, location data, contacts, and WiFi information from the device, and can also take pictures, capture screenshots, record audio, intercept and send SMS messages, and act as a keylogger.

Ryan Olson, intelligence director of Unit 42, says his team doesn't know how many Androids have fallen victim to PluginPhantom nor their geographic locations, but there is a China connection of sorts. "The location information being translated to coordinate systems used by Baidu Maps and Amap Maps, the top two navigation apps in China, is highly suggestive of a China connection," Olson says. "But our focus in this posting is on the ways in which this malware shows malware authors using current development methods and technologies to 'improve' their malware."

While mobile vulnerabilities and malware – mainly for Android – have been rampant in recent years, actual widespread attacks haven't been a reality for enterprises. Desktop and office endpoints are still too easy a target in many cases. But these latest Android attacks are significant in their size and scope of compromise.

"This thing [Gooligan] both infects a mass amount of users and actually steals the crown jewels to the accounts to compromise their Google services: email, photos, documents," for example, Check Point's Shaulov says.

"I think that this, in terms of in-the-wild [attacks], is something we've never seen before," he says.

Mobile devices are just one of an increasing number of Internet things that can be used as a stepping-stone to attacking businesses and others, says Dimitri Sirota, CEO of BigID. "There are just so many places of exploit where information is getting collected. I think there's going to be a lot more opportunity for hijacked [devices] to capture personal information. Mobile devices are just one of those places."

Some 60% of employees use at least one personal mobile device to access corporate data, according to new data from Ovum that demonstrates the difficulty in reining in corporate data access via mobile.

What Google Said

Meanwhile, Google said that it has been beefing up the Android environment and had worked with Check Point on responding to Gooligan. "We appreciate Check Point's partnership as we’ve worked together to understand and take action on these issues. As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall," Adrian Ludwig, director of Android security at Google said in a statement.

Check Point's Shaulov says it's unclear and unnerving as to why the Gooligan attackers are storing so much personal data in their databases. The malware installs some 30,000 apps daily on infected devices, which comes to about 2 million apps total to date. Victims are infected when they download and install a malicious app from a third-party Google app store or click an infected link in an email message.

PluginPhantom, meanwhile, is a new variant of Android.Trojan.Ihide. "In the new architecture, the original malware app is divided into multiple apps (plugin apps) and a single app (a host app). The host app embeds all plugin apps in resources, which implement different functional modules," Unit 42 said in a blog post today. "After victims install the host app, it can directly load and launch plugin apps without installing plugin apps, by abusing the legitimate open source plugin framework – DroidPlugin [2]."

Unit 42's Olson says his team isn't sure of the ultimate goal of the attack. "We can’t know the attackers’ intentions for certain, but the broad capability of the samples we’ve analyzed show how the lines between cybercrime and spying continue to blur. For example, being able to secretly record conversations using the camera and microphone like this has application for both realms."

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hieuhuule
100%
0%
hieuhuule,
User Rank: Apprentice
12/1/2016 | 9:32:25 AM
Who is a victim?
How do you know if someone is a victim?  I haven't downloaded anything for a third-party or clicked a suspicious email link, that I can remember.  But my enitre life is pretty much in my Google account so I'm definitely concerned.
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Risk, Privacy, and Information Security Officer, AvePoint, Inc.,  8/20/2018
Ohio Man Sentenced To 15 Months For BEC Scam
Dark Reading Staff 8/20/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15667
PUBLISHED: 2018-08-21
An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. It registers and uses the airmail:// URL scheme. The "send" command in the URL scheme allows an external application to send arbitrary emails from an active account without authentication. The handler has no restriction on who can...
CVE-2018-15668
PUBLISHED: 2018-08-21
An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. The "send" command in the airmail:// URL scheme allows an external application to send arbitrary emails from an active account. URL parameters for the "send" command with the "attachment_" prefix designate atta...
CVE-2018-15669
PUBLISHED: 2018-08-21
An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. Its primary WebView instance implements "webView:decidePolicyForNavigationAction:request:frame:decisionListener:" such that requests from HTMLIFrameElements are blacklisted. However, other sub-classes of HTMLFrameOwnerElements are...
CVE-2018-15670
PUBLISHED: 2018-08-21
An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. Its primary WebView instance implements "webView:decidePolicyForNavigationAction:request:frame:decisionListener:" such that OpenURL is the default URL handler. A navigation request is processed by the default URL handler only if t...
CVE-2018-15671
PUBLISHED: 2018-08-21
An issue was discovered in the HDF HDF5 1.10.2 library. Excessive stack consumption has been detected in the function H5P__get_cb() in H5Pint.c during an attempted parse of a crafted HDF file. This results in denial of service.