720-891-1663

1 Million (Likely More) Google Accounts Compromised by Gooligan

I am not sure what rock I have been hiding under, but somehow I missed this item.

About two months ago, the security company Checkpoint revealed a new Android malware family called Gooligan.

The malware can attack about 74% of Android phones world wide.  The good news, if there is any,  is that it only works (today) on old, obsolete, versions of the Android OS.  Specifically, it works on Version 4 (Ice cream sandwich, Jelly bean and Kit kat) and Version 5 (Lollipop), but not Version 6 (Marshmallow) or Version 7 (Nuggat).

Many phone manufacturers dump support for a phone as soon as the next bright shiny object comes along to distract them, so, except in a few circumstances, whatever version of the Android OS came on the phone is what it will die with, years later.

This is somewhat different than iPhones in that there are far fewer models.  However, when Apple decides to end-of-life a phone model, the user has two choices – live with the fact that there are no more security patches for that iPhone or buy a new phone.

So in a sense, there is not a huge difference in this respect between Apple and Google.

Users on the other hand have paid off the phone and don’t want to buy a new one until they have to or can’t resist.

The problem is that if you are using a phone with known vulnerabilities and which your phone provider has decided to stop upgrading, you are walking around with a potentially large hole in your security net.

In the case of the Gooligan malware, hackers pay app developers to insert their malicious payload inside otherwise good apps.  Typically, these are apps that are distributed from shady app stores and not Google Play.

Once the app runs, it downloads more malware after contacting its command and control server.

The newly downloaded malware is customized for the version of the Android OS that you are running and “Roots” the phone, giving it super-human powers.

Once the malware has super-human powers, it downloads more malware- in this case to steal your Google account information and security tokens, install more apps (to get ad revenue and improve the app’s reputation) and install adware.  Of course, at this point, it could do anything it wants to including “bricking” (killing) the phone.  Bricking it isn’t in the hacker’s best interest because they want to have the phone be a zombie to do the hacker’s bidding whenever it wants it to.

Google has been working with the researchers to try and protect users – even to the point of suspending user’s access to Google services until they securely change their password, but if phone vendors don’t cooperate, it is hard.

It appears that most of the affected phones are in Asia with some in Europe and only a small number (about 20 percent) in the United States.

What this means is that both Apple and Android users need to understand that just because a phone can make and receive calls does not mean that it is a smart thing to keep using it.

For Android users, if you are not running Marshmallow or Nuggat today, it might be time to buy a new phone.  And, while some shiny new top of the line $800 phone might be cool, there are many much cheaper phones available.  And almost all carriers (including Apple) will lease you a phone on a monthly payment plan.

For companies who allow users to BYOD, those companies should consider a policy to not allow users who are using unsupported versions of the Android and Apple OSes to access corporate resources, including email.  Doing so puts the entire corporate network at risk.

One question to phone vendors – Apple or Android – is how long they will commit to issuing patches on a phone you are considering buying.  That length of time is when you have to buy a new phone, again, to stay secure.  If they don’t have an answer you like, look for a different phone or a different carrier.  If people don’t vote with their wallets, the carriers will ignore the issue.

I never said that improved security will make you popular.

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *