From Ars Technica:
Researchers say they’ve uncovered a family of Android-based malware that has compromised more than 1 million Google accounts, hundreds of them associated with enterprise users.
Gooligan, as researchers from security firm Check Point Software Technologies have dubbed the malware, has been found in at least 86 apps available in third-party marketplaces. Once installed, it uses a process known as rooting to gain highly privileged system access to devices running version 4 (Ice Cream Sandwich, Jelly Bean, and KitKat) and version 5 (Lollipop) of Google’s Android operating system. Together, the vulnerable versions account for about 74 percent of users.
…
Update: In a separate blog post also published Wednesday morning, Android security engineer Adrian Ludwig said he and other Google officials have worked closely with Check Point over the past few weeks to investigate Gooligan and to protect users against the threat it poses. He said there’s no evidence data was accessed from compromised accounts or that individual users were targeted. He also said Google has been using a service called Verify Apps to scan individual handsets for signs of Gooligan and other Ghost Push apps. When detected, device owners receive a warning and installations are halted.
“We’ve taken many actions to protect our users and improve the security of the Android ecosystem overall,” Ludwig wrote. “These include: revoking affected users’ Google Account tokens, providing them with clear instructions to sign back in securely, removing apps related to this issue from affected devices, deploying enduring Verify Apps improvements to protect users from these apps in the future and collaborating with ISPs to eliminate this malware altogether.”
While Google is taking this threat seriously – which is a good thing! – there is the problem where handsets shipping without the Google Play Store will remain vulnerable to this and other kinds of malware, unless those other app stores also try to warn users. Even Google’s warning system is, really, some chewing gum to cover up a broader security issue: a huge majority of Android phones have an outdated version of Android installed and will likely never see operating system or security updates. These vulnerabilities will continue, unabated, until Google actually can force updates to its partners. And history says that’s not likely to happen anytime soon.
Excited Pixels 