How Gooligan Works

Gooligan-infected apps send data about infected devices to the campaign’s command and control server, then download a rootkit such as Vroot or Towelroot.

That raises the question of why Google hasn’t done anything to prevent the risky activity.

“Support is expensive, and, when you’re Google or any other vendor,” said Michael Jude, a program manager at Stratecast/Frost & Sullivan.

“You have to plan allocation of resources for these things, since there are always user problems,” he told TechNewsWorld.

Once the device is rooted, Gooligan downloads a new malicious module that lets it

  • steal a user’s Gmail account and authentication token information, which bypasses Google’s two-factor authentication and other security mechanisms;
  • install apps from Google Play and rate them to raise their reputation; and
  • install adware to generate revenue.

The malware also fakes device information such as IMEI and IMSI, so it can download an app twice but make it appear that the downloads are on different devices, thus doubling the potential revenue from the apps.

Apps infected by Gooligan include “Perfect Cleaner,” “WiFi Enhancer,” “Memory Booster,” “Battery Monitor” and “Weather.”


Protecting the User

Google has removed from Google Play apps associated with the Ghost Push family, and apps that benefited from installs delivered by the malware, Google’s Ludwig noted.

It also has improved Verify Apps to protect users in the future.

Google has notified users known to have been affected by Gooligan. It also has removed their Google Account tokens and provided them simple instructions to sign in securely, Ludwig said.

Further, it has been working with the Shadowserver Foundation, as well as multiple major ISPs that provided the infrastructure used to host and control Gooligan, in order to take down the infrastructure.

Devices with up-to-date security patches are safe, Ludwig said. Those with a system image, like Google’s Nexus and Pixel devices, can remove the malware through a system software reinstall.

Owners of newer devices, including those compatible with Android 6.0, have Verified Boot enabled, and can remove Ghost Push easily, Ludwig pointed out.

Patches often are delayed by wireless carriers because they need to test them for compatibility first.