While Google's mobile operating system, Android, may be popular, it has one glaring problem: security. More often than not in a week, we hear about some problem that leaves Android users vulnerable to attack. Sometimes it comes from downloading apps outside of the Google Play Store and sometimes it comes from within. This week, we have one of each.
Gooligan, named by the security firm Check Point, is malware that closely resembles another recent issue: HummingBad. Found in apps downloaded through 3rd party stores, this malware roots your device, giving the software direct access to all of your data. The important data that this software is looking for is your Google security token. This is a small piece of text that allows applications on your phone, including malicious apps, to connect to the Google Play Store and download new apps in your name. It also gives the software the ability to write reviews about those apps, also in your name.
While it may seem odd to write software to download other software. There's a lot of financial gain to be had. Some apps offer affiliate programs, paying the refer to encourage new downloads. If the apps that are downloaded through Gooligan participate in the affiliate program, then the creator can get paid for every device that they infect.
As of right now nearly 1,000,000 accounts have been breached using this process. If each device generated only a single dollar in revenue, that's a million dollars in revenue for very little work. The real potential for harm, however, comes in the future. The security token gives access to more than just your Google Play account. In fact, it gives the developer access to anything Google related. This means that they could theoretically read your email, get your credit card information and anything else you store in Google. If the affiliate programs can generate this kind of revenue, imagine what they could make on your contact list or search history. Your Google account is a veritable treasure trove of information.
It's difficult to recover an infected device but it's even more difficult to recover a compromised account. Luckily Google is prepared for such an eventuality having a dedicated page for fixing this type of problem. If you believe that your account has been compromised, change your password, remove the device from your authorized devices and enable Verified Boot on the device..
Another problem that persists on Android and other operating systems is insecure communication. This happens when the application developer sends important information over insecure channels. Normally, this kind of mistake results in the compromise of an account. In the case of the popular Android app AirDroid, it can result in the compromise of your device.
Here's what they're doing: After you log in securely the same information is then sent to a statistics server over insecure communication. This means that another device on the same network could get in-between your phone and the router and steal the information as it's being sent. Since the data is not encrypted, it means that anybody could read it and get your username and password. Under normal circumstances this would allow them to just log into your account, but because of the nature of AirDroid, it gives the hacker the ability to take over your device and install malicious code without your knowledge. Once that code is on there, it could act similarly to Gooligan.
The researchers that discovered this problem, Zimperium, have been in communication with the developers, Sand Studio, since May, but they have not acted upon the information until now. Sand Studio's Chief Marketing Officer Betty Chen claims that the problem should be solved within the next 2 weeks.
As more advanced methods of security are developed, these types of problems should become more rare. Unfortunately, in the past couple of years, these types of problems have become more common. The idea that anybody can code and the hiring of untrained and untested developers for high-level positions often leads to these types of mistakes. Not everybody is able to code and even fewer are capable of architecting a full solution. These types of violations of trust should bring attention to the problem, but somehow they continue to persist.