Most malware simply steals a piece or two of information, or does something to your device, but some malware has the ability to take control of your account. Speaking of which, ‘Gooligan’, a piece of malware that compromises Google accounts, is at large right now and said to be compromising information from 13,000 devices each day. The behavior of the malware seems to be to perform fraudulent downloads and leave fraudulent reviews on certain Google Play Store apps to garner popularity, but given the information needed to do that, the implications here are much bigger. The malware targets users on Android versions all the way up to Android 5.1 (Lollipop), meaning that if you’re on Android version 6.0 (Marshmallow) or higher, you’re probably safe. The malware has been found around the world, especially in markets with concentrations of older and lower-spec devices running older Android versions and has managed to infect over 1 million devices so far.
The malware works through a number of fake apps, normally downloaded through third party sources like Aptoide, where users can mostly upload and download whatever they wish, free from Google’s protections over the Play Store. Since finding the bug, Check Point, has been working closely with Google to see the malware defeated and the vulnerabilities which allow it to be patched up. They’ve also created an online tool to check your account to see if it’s been compromised, accessible through the source link. If you’ve downloaded apps from outside of the Play Store, you may want to check your account.
On the device side, Google’s “Verify Apps” tool, turned on by default in Android 4.1 (Jelly Bean) and onward, is able to catch the bug and block installation of an affected app, or advise a user to uninstall something that they already have that’s infected. This can, of course, be turned off by the user, and should not be considered a 100% guaranteed solution either way. Still, between this and protections in place on the Play Store, estimates put some 92 percent of devices out there as being safe from Gooligan. Once Gooligan gets in, it roots the device in question to obtain security certificates and perform the fraudulent actions. You can see a brief breakdown of how Gooligan works, below.