Audacious Android scam hacks a million Google accounts to boost app ratings

A new Android scam is hacking Google accounts just to help apps get discovered in Google Play’s crowded marketplace of two million apps.

Google is working with ISPs, security firms and handset makers to fight Android malware, dubbed Gooligan, that has compromised a million Google Accounts to boost ratings on select apps in Google Play.

Google says that no user data was accessed by the malware, however authentication tokens were used to carry out actions from user accounts.

According to security firm Check Point, the malware has compromised a million Google accounts and affected users of Google Play, Gmail, Google Photos, Google Docs, Google Drive, and G Suite, Google’s paid-for suite of productivity tools for the enterprise.

One way to get an discovered on Google Play is by having a five-star rating and glowing reviews, but instead of relying on real humans to rate an app Gooligan steals authentication tokens from infected Android devices and uses them to gain access to Google accounts.

By posting fake reviews and artificially bumping up app ratings, the malware attempts to game Google’s ranking system and ultimately to encourage others to install the apps.

Check Point revealed details of the malware campaign today, claiming that one million Google Accounts had been compromised by Googligan since August.

“Ad servers, which don’t know whether an app using its service is malicious or not, send Gooligan the names of the apps to download from Google Play. After an app is installed, the ad service pays the attacker. Then the malware leaves a positive review and a high rating on Google Play using content it receives from the C&C server,” said Check Point.

Director of Android security, Adrian Ludwig, said Google is aware of the threat, which he said is a variant of an older piece of malware known as Ghost Push. Apps harboring Ghost Push attempt to install other malicious apps on users’ phones.

Google already blocks Ghost Push from installing on devices with Android’s Verify Apps security feature, however it only began blocking Gooligan in the past few weeks after Check Point alerted it.

Newer variants of Ghost Push exploit one of Android’s biggest security weakness; namely, that handset makers and carriers have historically done nothing to patch publicly known Android software vulnerabilities.

“Several Ghost Push variants use publicly known vulnerabilities that are unpatched on older devices to gain privileges that allow them to install applications without user consent,” said Ludwig in a post on Google+.

“In the last few weeks, we've worked closely with Check Point … to investigate and protect users from one of these variants. Nicknamed ‘Gooligan’, this variant used Google credentials on older versions of Android to generate fraudulent installs of other apps,” he continued.

By “older”, Ludwig means any phone that is two or more years old. CheckPoint says Gooligan affects devices from the pre-2014 versions of Android, Jelly Bean and KitKat, as well as Android 5.0 Lollipop, which Google released in 2014.

A two years may be old, but the current version of Android, 7.0 Nougat, is only installed on 0.3 percent of Android devices. Today, 25 percent of Android devices remain on KitKat, while 34 percent remain on Lollipop. Check Point estimates 75 percent of Android devices are vulnerable to Gooligan attacks.

The Gooligan-laced apps are being distributed via third-party stores, reinforcing the general security advice to not install apps from stores other than Google Play. Gooligan also loads adware onto infected devices.

Google’s Ludwig said Google had found no evidence that user data was accessed and that less than 0.1% of affected accounts were GSuite customers.

“We’ve removed apps associated with the Ghost Push family from Google Play. We also removed apps that benefited from installs delivered by Ghost Push to reduce the incentive for this type of abuse in the future,” said Ludwig.

Google is also working with the botnet fighters at the Shadowserver Foundation as well as “multiple major ISPs” to combat Ghost Push and its variants.

It has also revoked tokens from affected Google accounts and provided users with instructions to sign back in.

“This was a team effort within Google, across the Android security, Google Accounts, and the Counter-Abuse Technology teams. It also required close coordination with research firms, OEMs, and hosting companies. We want to thank those teams for their assistance and commitment during our ongoing efforts to fight Ghost Push and keep users safe,” said Ludwig.