Gooligan Malware Roots Android to Steal Authentication Token

Nicknamed Gooligan, a new type of malware, has infected 1.3 million Android devices from August which was discovered by Check Point Software Technologies. This malware roots Android, giving the hackers full control of users' devices. It steals users' authentication tokens and forces users to download apps as part of a huge advertising fraud scheme. The malicious software gains the foothold on phones or tablets when users download a third-party app. And recently, anyone who owned an Android device running version 4.1-4.3( Jelly Bean ), 4.4 ( KitKat ), or 5.0/5.1 ( Lollipop ) is at risk.

However, 57% of the infected devices are located in Asia, North and South America has 19%, the African continent makes up 15% and Europe contributes at 9%.

How does Gooligan Infect and Work on Android Device?

First, Gooligan stores its malware code in dozens of legitimate-looking apps on third-party Andorid app store. When users visit a website or download a third party app from unkonw source or mistakenly click on malicious links in phishing attack messages, Gooligan will be downloaded at the same time. Second, after the infected app is installed, it sends data about the device to the campaign's Command and Control server. Third, once the device information is obtained, Gooligan will downloads a rootkit which are applicable to the Android, such as Towelroot or VROOT. Last, after the device is rooted, Gooligan will download and install a new malicious module capable of compromising the authentication tokens which aims at injecting code into Google Play or Google Mobile Services in order to prevent users from detection.

What does Gooligan do after rooting?

No matter whether your device has been rooted by yourself for convenience such as customization or removing ads, the Gooligan might attack your Android if you owned the Android version 4 or 5. The Gooligan malware can download rootkit to root your device itself once installed through an infected APP. After rooting, the malware has full control of Android device. The module allows Gooligan to:

  • Pilfer users' Google email account and authentication token information.
  • Install a huge apps from Google Play.
  • Install adware.

How to check whether your Android device is infected?

Gooligan is present in at least 86 Android apps available from third-party marketplaces. Check Point has a good list of apps that they have identified. If you down one of the apps, you might be infected. In order to avoid the risk of being infected, you had better consider downlaoding an antivirus product such as Check Point ZoneAlarm to check if you are indeed infected.

Why Googligan can root your Android device

Rooting process usually exploits a vulnerability in the operating system code or device drivers and allows the "hacker" to upload a special program to the phone or tablet. There are two universal ways to root Android device, one is by taking advantages of vulnerabilities, the other is throught flashing custom recovery. Gooligan root Android via taking advantages of vulnerabilities such as VROOT and Towelroot on devices running Android 4 and Android 5.

What can KingoRoot do for help?

KingoRoot is an easiest and fastest one click apk to root your Android device. KingoRoot is developed in apk file format. KingoRoot Android by inplementing "vulnerabilities" according to the users' willing in order to help users to solve their rooting problems. After rooting, users can control the device by their own intention. And KingoRoot apk from the offcial website is a completely safe apk for settling down rooting problems.

For users whose Google accounts have been breached, a clean installation of an operating system on mobile Android device is required. Fortunately, after rooting with KingoRoot, flashing a new custom ROM is available. Users can install a new OS version after flashing a new custom ROM.

The Google's Android security chief notes that Android versions from 6.0 onward are unaffected by Gooligan. The hundreds of millions who continue to run older editions still have cause for concern. Rooting can help users flash a custom ROM in order to install the latest and greatest OS version that compatible with device.

Please note that: Rooting means giving yourself root permissions on your phone, you can manage all objects in the operating system. General software is available by using the ROOT privileges to implement more features, but when malware intrusion systems it also needs the root privilege. So please carefully consider authorizing an unknown application with root privileges.