Android devices are in the cross hairs with two separate but deadly attack campaigns that wrest control of the devices and include clues that suggest links to China.
Researchers at Check Point Software Technologies say they have uncovered a new malware variant called Gooligan that to date has hacked one million Google accounts worldwide by rooting the user’s Android device, at an alarming rate of some 13,000 devices per day. Among Gooligan’s victims are hundreds of email addresses tied to enterprise accounts.
The malware, a new version of the SnapPea downloader discovered in 2015, attacks Android 4 (Jelly Bean, KitKat) and Android 5 (Lollipop) devices, which make up nearly three-quarters of all Androids in use today. Once installed on the victim’s device, the malware steals email addresses and stored authentication tokens, giving the attackers access to the user’s Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite accounts and information.
“Putting Android aside, from what we have been able to search [and research], this is probably the biggest compromise of Google accounts, mobile or non-mobile,” says Michael Shaulov, head of mobile products at Check Point. “Clearly, this is an escalation” of attacks against mobile devices as well, he adds.
While 57% of the infections are in Asia, there’s a conspicuous lack of any infections in China, he notes. The attackers make money via click-fraud, according to Check Point’s findings.
“After rooting the device and stealing the user’s Google account email and authentication token, Gooligan is capable of mimicking user behavior to tap on ads for legitimate applications on Google Play. Once the app is installed, the attacker is paid by the ad service for the successful installation,” Shaulov says.
The second attack campaign, which was discovered by Palo Alto Networks Unit 42 research team, exploits Android’s plug-in technology by camouflaging its elements as plugin apps, which don’t require actual installation on the device. The so-called PluginPhantom Trojan pilfers files, location data, contacts, and WiFi information from the device, and can also take pictures, capture screenshots, record audio, intercept and send SMS messages, and act as a keylogger.
Ryan Olson, intelligence director of Unit 42, says his team doesn’t know how many Androids have fallen victim to PluginPhantom nor their geographic locations, but there is a China connection of sorts. “The location information being translated to coordinate systems used by Baidu Maps and Amap Maps, the top two navigation apps in China, is highly suggestive of a China connection,” Olson says. “But our focus in this posting is on the ways in which this malware shows malware authors using current development methods and technologies to ‘improve’ their malware.”
While mobile vulnerabilities and malware – mainly for Android – have been rampant in recent years, actual widespread attacks haven’t been a reality for enterprises. Desktop and office endpoints are still too easy a target in many cases. But these latest Android attacks are significant in their size and scope of compromise.
“This thing [Gooligan] both infects a mass amount of users and actually steals the crown jewels to the accounts to compromise their Google services: email, photos, documents,” for example, Check Point’s Shaulov says.
“I think that this, in terms of in-the-wild [attacks], is something we’ve never seen before,” he says.
Mobile devices are just one of an increasing number of Internet things that can be used as a stepping-stone to attacking businesses and others, says Dimitri Sirota, CEO of BigID. “There are just so many places of exploit where information is getting collected. I think there’s going to be a lot more opportunity for hijacked [devices] to capture personal information. Mobile devices are just one of those places.”
Some 60% of employees use at least one personal mobile device to access corporate data, according to new data from Ovum that demonstrates the difficulty in reining in corporate data access via mobile.
What Google Said
Meanwhile, Google said that it has been beefing up the Android environment and had worked with Check Point on responding to Gooligan. “We appreciate Check Point’s partnership as we’ve worked together to understand and take action on these issues. As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall,” Adrian Ludwig, director of Android security at Google said in a statement.
Check Point’s Shaulov says it’s unclear and unnerving as to why the Gooligan attackers are storing so much personal data in their databases. The malware installs some 30,000 apps daily on infected devices, which comes to about 2 million apps total to date. Victims are infected when they download and install a malicious app from a third-party Google app store or click an infected link in an email message.
PluginPhantom, meanwhile, is a new variant of Android.Trojan.Ihide. “In the new architecture, the original malware app is divided into multiple apps (plugin apps) and a single app (a host app). The host app embeds all plugin apps in resources, which implement different functional modules,” Unit 42 said in a blog post today. “After victims install the host app, it can directly load and launch plugin apps without installing plugin apps, by abusing the legitimate open source plugin framework – DroidPlugin .”
Unit 42’s Olson says his team isn’t sure of the ultimate goal of the attack. “We can’t know the attackers’ intentions for certain, but the broad capability of the samples we’ve analyzed show how the lines between cybercrime and spying continue to blur. For example, being able to secretly record conversations using the camera and microphone like this has application for both realms.”
Special thanks to Kelly Jackson Higgins is Executive Editor at Dark Reading.