[SingCERT] Advisory on Gooligan Malware

Published on Thursday, 01 December 2016 16:42

Background
On 30 November 2016, security company Check Point reported that a malware named Gooligan has affected Android phone users, compromising over a million Google accounts. Gooligan disguises itself as a legitimate Android app to trick users into installing the app, which then infects the phone. Gooligan will then install unwanted apps on the phone which cannot be easily removed, even if a factory reset of the phone is done.

Android phone users can perform a self-check at https://gooligan.checkpoint.com/ to find out if their devices are infected with Gooligan.

Malware Description
The phone is infected when a user downloads and installs a Gooligan-infected app on a vulnerable Android device or when the user clicks on malicious links in phishing messages.

Upon installation of this malicious app, Gooligan will attempt to root the phone to download and run more malicious codes. This will give Gooligan control of the device to install apps without the user’s permission and to rate the apps on their behalf. The malware will also attempt to steal information to gain access to the user’s sensitive data from Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite.

How Gooligan Campaign Works
Credit: http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/

Impact
Users with an infected phone will observe the following symptoms:
  • Sluggish phone performance
  • Battery life of the phone is draining faster than usual
  • Apps are installed without user's permission, resulting in decrease in phone storage capacity
  • Unexplained increase in mobile data usage
  • Factory reset of the phone does not fix symptoms
  • Notification that account credentials are stolen
Recommendations
SingCERT recommends that affected users consider one of the following remediation methods.

Method 1 – Malware Scanner
  1. Scan the phone with a reputable antivirus scanner (e.g. Stubborn Trojan Killer) to detect malware
  2. Sign out of all synchronized accounts (Gmail, Yahoo, Hotmail, Facebook, etc.) in the phone
  3. Repeat Step 2 for all other devices which these accounts are also synchronized to
  4. Using a clean computer or phone, log in to each of the account and change the password. Enable 2-factor authentication (2FA) where possible
  5. Log back in to your account after the passwords have been changed
Method 2 – Firmware Re-flashing
Firmware re-flashing involves performing a clean installation of the operating system on the mobile device. As the process can be complicated for some users, it is recommended that affected users seek help from a certified technician or phone manufacturer to have the phone’s firmware re-flashed.

Re-flashing the firmware will wipe out all your data, therefore it is recommended that you back up important information such as contacts, SMS messages, chats and images before performing a firmware re-flash. The steps are as follows:
  1. Back up all important information such as contacts, SMS messages, chats and images to your computer or an external device
  2. Bring your phone to the service centre and request for the firmware to be flashed. Note: This may incur a cost.
  3. Sign out of all synchronized accounts (Gmail, Yahoo, Hotmail, Facebook, etc) in the phone
  4. Repeat Step 3 for all other devices for which these accounts are synchronised to
  5. Using a clean computer or phone, log in to each of the accounts and change the respective passwords. Enable 2-factor authentication (2FA) where possible
  6. Log back in to your account after the passwords have been changed
Prevention
  • Only download and install apps from reputable app stores
  • Use an antivirus/antimalware scanner to scan app before installing
  • Do not click on suspicious links, web pages or advertisements
References
http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/
https://gooligan.checkpoint.com/
https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi
http://www.cmcm.com/blog/en/security/2015-09-18/799.html
http://www.cmcm.com/blog/en/security/2016-10-14/1031.html
https://www.fireeye.com/blog/threat-research/2015/09/guaranteed_clicksm.html
http://blog.trendmicro.com/trendlabs-security-intelligence/new-ghost-push-variants-sport-guard-code-malware-creator-published-over-600-bad-android-apps/