Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

11/30/2016
04:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Androids Under Attack: 1 Million Google Accounts Hijacked

Two separate attack campaigns were discovered targeting Androids - one that roots them and gains access to Google Gmail, Docs, Drive, accounts and another that steals information and intercepts and sends messages.

Android devices are in the crosshairs with two separate but deadly attack campaigns that wrest control of the devices and include clues that suggest links to China.

Researchers at Check Point Software Technologies say they have uncovered a new malware variant called Gooligan that to date has hacked one million Google accounts worldwide by rooting the user's Android device, at an alarming rate of some 13,000 devices per day. Among Gooligan's victims are hundreds of email addresses tied to enterprise accounts.

The malware, a new version of the SnapPea downloader discovered in 2015, attacks Android 4 (Jelly Bean, KitKat) and Android 5 (Lollipop) devices, which make up nearly three-quarters of all Androids in use today. Once installed on the victim's device, the malware steals email addresses and stored authentication tokens, giving the attackers access to the user's Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite accounts and information.

"Putting Android aside, from what we have been able to search [and research], this is probably the biggest compromise of Google accounts, mobile or non-mobile," says Michael Shaulov, head of mobile products at Check Point. "Clearly, this is an escalation" of attacks against mobile devices as well, he adds.

While 57% of the infections are in Asia, there's a conspicuous lack of any infections in China, he notes. The attackers make money via click-fraud, according to Check Point's findings.

"After rooting the device and stealing the user’s Google account email and authentication token, Gooligan is capable of mimicking user behavior to tap on ads for legitimate applications on Google Play. Once the app is installed, the attacker is paid by the ad service for the successful installation," Shaulov says.

The second attack campaign, which was discovered by Palo Alto Networks Unit 42 research team, exploits Android's plug-in technology by camouflaging its elements as plugin apps, which don't require actual installation on the device. The so-called PluginPhantom Trojan pilfers files, location data, contacts, and WiFi information from the device, and can also take pictures, capture screenshots, record audio, intercept and send SMS messages, and act as a keylogger.

Ryan Olson, intelligence director of Unit 42, says his team doesn't know how many Androids have fallen victim to PluginPhantom nor their geographic locations, but there is a China connection of sorts. "The location information being translated to coordinate systems used by Baidu Maps and Amap Maps, the top two navigation apps in China, is highly suggestive of a China connection," Olson says. "But our focus in this posting is on the ways in which this malware shows malware authors using current development methods and technologies to 'improve' their malware."

While mobile vulnerabilities and malware – mainly for Android – have been rampant in recent years, actual widespread attacks haven't been a reality for enterprises. Desktop and office endpoints are still too easy a target in many cases. But these latest Android attacks are significant in their size and scope of compromise.

"This thing [Gooligan] both infects a mass amount of users and actually steals the crown jewels to the accounts to compromise their Google services: email, photos, documents," for example, Check Point's Shaulov says.

"I think that this, in terms of in-the-wild [attacks], is something we've never seen before," he says.

Mobile devices are just one of an increasing number of Internet things that can be used as a stepping-stone to attacking businesses and others, says Dimitri Sirota, CEO of BigID. "There are just so many places of exploit where information is getting collected. I think there's going to be a lot more opportunity for hijacked [devices] to capture personal information. Mobile devices are just one of those places."

Some 60% of employees use at least one personal mobile device to access corporate data, according to new data from Ovum that demonstrates the difficulty in reining in corporate data access via mobile.

What Google Said

Meanwhile, Google said that it has been beefing up the Android environment and had worked with Check Point on responding to Gooligan. "We appreciate Check Point's partnership as we’ve worked together to understand and take action on these issues. As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall," Adrian Ludwig, director of Android security at Google said in a statement.

Check Point's Shaulov says it's unclear and unnerving as to why the Gooligan attackers are storing so much personal data in their databases. The malware installs some 30,000 apps daily on infected devices, which comes to about 2 million apps total to date. Victims are infected when they download and install a malicious app from a third-party Google app store or click an infected link in an email message.

PluginPhantom, meanwhile, is a new variant of Android.Trojan.Ihide. "In the new architecture, the original malware app is divided into multiple apps (plugin apps) and a single app (a host app). The host app embeds all plugin apps in resources, which implement different functional modules," Unit 42 said in a blog post today. "After victims install the host app, it can directly load and launch plugin apps without installing plugin apps, by abusing the legitimate open source plugin framework – DroidPlugin [2]."

Unit 42's Olson says his team isn't sure of the ultimate goal of the attack. "We can’t know the attackers’ intentions for certain, but the broad capability of the samples we’ve analyzed show how the lines between cybercrime and spying continue to blur. For example, being able to secretly record conversations using the camera and microphone like this has application for both realms."

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hieuhuule
100%
0%
hieuhuule,
User Rank: Apprentice
12/1/2016 | 9:32:25 AM
Who is a victim?
How do you know if someone is a victim?  I haven't downloaded anything for a third-party or clicked a suspicious email link, that I can remember.  But my enitre life is pretty much in my Google account so I'm definitely concerned.
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18217
PUBLISHED: 2019-10-21
ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote unauthenticated denial-of-service due to incorrect handling of overly long commands because main.c in a child process enters an infinite loop.
CVE-2019-16862
PUBLISHED: 2019-10-21
Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 allows a remote attacker to execute arbitrary code in the context of a user's session via the pid parameter.
CVE-2019-17409
PUBLISHED: 2019-10-21
Reflected XSS exists in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 ia the id parameter.
CVE-2019-10715
PUBLISHED: 2019-10-21
There is Stored XSS in Verodin Director before 3.5.4.0 via input fields of certain tooltips, and on the Tags, Sequences, and Actors pages.
CVE-2019-10716
PUBLISHED: 2019-10-21
An Information Disclosure issue in Verodin Director 3.5.3.1 and earlier reveals usernames and passwords of integrated security technologies via a /integrations.json JSON REST API request.