Be aware of "Ghost Push" Mobile Malware

Release Date: 2 Dec 2016 2091 Views

 

HKCERT is aware that a security vendor disclosed a malware campaign called Gooligan, which is a variant of “Ghost Push” mobile malware discovered in 2015. Cybercriminals made use of Ghost Push to download other mobile apps in the infected device for monetization.

 

This Gooligan variant, like other Ghost Push malware, will gain root privilege of the device and steal Google credentials on Android 4 and 5 systems in order to generate fraudulent installs of other apps.

 

How Gooligan is distributed

Gooligan is propagated by installing the Gooligan-infected apps from a 3rd party app store or by installing Gooligan-infected apps through the links in phishing email.

 

Impacts of Gooligan

  • The malware gains root privilege of Android device, to take total control of your device.
  • Since it can gain access to Google authentication tokens in the device, your Google account may also be accessed by the malware.

 

How to detect and remove Gooligan infection

  • It affected devices with Android 4 (Jelly Bean, KitKat) or 5 (Lollipop) system, which is over 74% of in-market devices.
  • The user should review the application list in “Settings -> Apps”, if the applications match to the list (See Appendix A from More Than 1 Million Google Accounts Breached by Gooligan by Check Point), and you can verify whether the apps are infected with any anti-virus app.
  • According to Check Point, if any infected apps were found, a clean installation of an operating system on the mobile device is required (a process called “flashing”), and they recommend the user to contact phone manufacturer to technician to conduct the “flashing” process.
  • Check if your Google account is compromised with this webpage: https://gooligan.checkpoint.com/. If you believe that your Google account was breached, please change the password and review the security settings on a clean device.

 

Advice on prevention

  • Gooligan is one of the Ghost Push malware variants, other Ghost Push variants may affect other android versions. General measures to prevent Ghost Push malware infection:
  • Only download and install apps from official app store such as Google Play.
  • If you suspect the validity of the app publisher, verify it with second channel, e.g. app publisher website.
  • Keep devices up-to-date security patches.
  • Do not "jailbreak" or "root" the device to avoid breaking the system security.
  • Use Android security apps to protect your devices to block the install of malicious and unwanted apps, even if they come from Google Play.

 

Reference:

  • http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/
  • https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi
  • http://arstechnica.com/security/2016/11/1-million-android-accounts-compromised-by-android-malware-called-gooligan/

 

Share with

Previous

Favourite Security Reads of the Week (2 Dec 2016)

2 Dec 2016 1643 Views

We use cookies to give you the best possible experience on our website. By continuing to browse this site, you give consent for cookies to be used. For more details please read our Cookie Policy.

PRIVACY POLICY