The malware dubbed as Gooligan gets installed on the host devices through a regular phishing attack from third-party app stores (i.e. not the Google Play Store). Once it gets access to the device, it starts installing malware via that app, collecting data about your phone, rooting your phone, and stealing your email accounts and authentication tokens (which gives them theoretical access to all your Google apps — like Gmail, Google Photos, Google Drive, etc.). After settling in, the malware starts installing and rating fraudulent apps from the Google Play Store. Check Point reached out to Google’s security team after detecting the malware and has been working with Google to investigate the massive breach. “We’re appreciative of both Check Point’s research and their partnership as we’ve worked together to understand these issues,” said Adrian Ludwig, Google’s director of Android security. “As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall.” The steps taken include deleting apps connected with the malware from affected devices and from Google Play; strengthening security to block Android users from installing unverified apps from outside Google Play; and working with internet service providers to take down the infrastructure that supports the malware. The company said that Google has contacted all the users known so far to be affected. In order to keep yourself safe, please ensure that you follow Google’s app installation guidelines and as much as possible avoid downloading any apps from websites or third-party app stores. Source: Check Point
