Malware used existing root exploits to target Jelly Bean, KitKat and Lollipop devices, racking up fake installations and reviews on Google Play.
Security firm Check Point has revealed a new malware campaign involving using malicious apps to root Android devices, steal Google authentication tokens and illegitimately rack up installation numbers and review scores for other apps.
The malware, dubbed "Gooligan" by Check Point, uses known vulnerabilities to get obtain root access — complete control — over devices running Android 4.x and 5.x, before using this to steal Google account names and authentication tokens. This then allowed the perpetrators to remotely install other apps from Google Play on victims' devices, and post false reviews in their name.
In theory, malware like this, which is designed to steal authentication details, may have been able to access other areas of Google accounts, like Gmail or Photos. There's no evidence that "Gooligan" did anything like this — instead, it appears it was built to make money for its creators through illegitimate app installs.
What is striking about this strain of malware is the number of accounts affected — more than one million since the campaign began, according to Check Point. The majority — 57 percent — of these accounts were compromised in Asia, according to the firm. Next were the Americas with 19 percent, Africa with 15 percent and Europe with 9 percent. Check Point has set up a site where you can check if your account is affected; Google also says it's reaching out to anyone who may have been hit.
Ahead of today's public announcement, Google and Check Point have been working together to improve Android's security.
We're appreciative of both Check Point's research and their partnership as we've worked together to understand these issues," said Adrian Ludwig, Google's director of Android security. "As part of our ongoing efforts to protect users from the Ghost Push family of malware, we've taken numerous steps to protect our users and improve the security of the Android ecosystem overall."
Check Point also notes that Google's "Verify Apps" technology has been updated to deal with apps using vulnerabilities like this. That's significant because, while it doesn't help devices that are already compromised, it roadblocks future installations on 92 percent of active Android devices, even without the need for firmware updates.
Like other app-based exploits, Google's 'Verify Apps' feature now protects 92 percent of active devices from 'Gooligan.'
"Verify Apps" is built into Google Play Services, and enabled by default in Android 4.2 Jelly Bean — accounting for 92.4 percent of active devices, based on the current numbers. (On older versions, it can be manually enabled.) Like the rest of Play Services, it's regularly updated in the background, and it blocks the installation of malicious apps, and can advise users to uninstall malware that's already there.
On newer versions of Android, the underlying exploits used by "Gooligan" to root devices will have been addressed through security patches. So as significant as a million compromised accounts sounds, this is also an example of Google's security strategy for app-based malware working as designed, blocking installations of affected apps across the vast majority of the ecosystem.
If you're concerned that your account may have been affected, you can hit up Check Point's site. In future, Google's existing safeguards — a part of Play Services for the past four years — will ensure you're protected.
Update: Google's lead engineer for Android security, Adrian Ludwig, has an extensive write-up on the background of today's "Googlian" announcement, and what Google's doing about it, over on Google+.