Gooligan spreads via apps from third-party app stores and malicious links in phishing attack messages. It downloads a rootkit to steal authentication tokens to breach data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive and other programs. It also installs app that can steal your account information to post fake ratings and reviews to raise the profile of these apps.
Check Point said attackers are enticing victims to download free versions of popular paid Android apps via third-party app stores hosting Gooligan-infected apps such as StopWatch, Flashlight Free, and Pedometer.
“The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device,” Check Point researchers wrote. “Our research team has found infected apps on third-party app stores, but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages.”
Vulnerable Android handsets include devices running OS versions 4 (Ice Cream Sandwich, Jelly Bean, and KitKat) and 5 (Lollipop). Check Point estimates 74 percent of Android devices in use today are vulnerable to the malware. Once a malicious Gooligan app is installed on a vulnerable device, attackers can push either the rootkit VROOT or Towelroot from a command-and-control server.
Head to the Check Point website and enter your email address. It will immediately let you know if your account has been breached.