“These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user,” said Check Point researchers.If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely. Next, a module is downloaded onto the device that injects code into running Google Play or Google Mobile Services to avoid detection. Researchers found the module allows Gooligan to steal a user’s Google email account and authentication token information, which can be used to access all the Google services related to the user, such as Google Play; Gmail; Google Docs; Google Drive; and Google Photos. The module also allows attackers to install apps from Google Play and rate them to raise their reputation and potentially increase downloads, as well as install adware to generate them revenue.
“Our research team was able to identify several instances of this activity by cross-referencing data from breached devices with Google Play app reviews. This is another reminder of why users shouldn’t rely on ratings alone to decide whether to trust an app,” warned Check Point.For more information on Gooligan and a list of infected apps, see Check Point’s blog post here.