A nasty strain of Android malware that has been in the wild for the last two years is once again rearing its ugly head. Gooligan, the name given to malware that has been found in at least 86 malicious apps, has been infecting Android handsets at a rate of 13,000 devices worldwide per day, Israeli security firm Check Point Software said in a blog posting Wednesday.
The apps were downloaded from unauthorized, third-party app stores. So if you're not sticking to Google Play for downloads, you should be.
Gooligan is the latest variant on a strain of Android malware called Ghost Push that has been infecting Android users since 2014. Once it finds its way into handsets via malicious mobile apps, Ghost Push/Gooligan performs all kinds of annoying tasks, including sending users pop-ups ads and trying to install yet more apps, including some from the Google Play app store, on their handsets.
Gooligan threatens users' Google accounts, as it captures and reuses the authorization tokens that let Android devices permanently log into Google accounts. (Each token may take months to expire.) This lets Gooligan pose as a device user and submit phony five-star app reviews in the Google Play store. Check Point has posted a "Gooligan Checker" web page that lets users see whether their Google accounts may have been compromised.
Gooligan appears to be in the same vein as other Ghost Push malware. It lives inside compromised apps that are downloaded from third-party app stores. It's not believed to steal user data, but is part of what's essentially a sophisticated click-fraud scheme that collects cash from dodgy app developers every time Gooligan installs a new app or shows another ad on a victim's phone.
For its part, Google has been working hard to disrupt Ghost Push and its variants, according to a blog post Tuesday by Android security chief Adrian Ludwig, who added that Google has tracked more than 40,000 Ghost Push apps. Ludwig said the company has taken action against the malware, including attempts at disrupting the command-and-control servers that try to peddle the malicious software.
According to Check Point, the apps in question include StopWatch, Perfect Cleaner, and WiFi Enhancer, all of which are available in third-party marketplaces. They exploit known flaws in older Android distributions, including 4.1-4.3 Jelly Bean, 4.4 KitKat, and 5.0-5.1 Lollipop.
Phones and tablets running newer versions of Android, such as 6.0 Marshmallow or 7.0-7.1 Nougat, should be safe. Users can also protect themselves by installing all available security patches and version updates, running robust Android antivirus software and, most importantly, making sure that installing apps from "Unknown sources" is not enabled in their devices' security settings