In the wake of last month’s “Gooligan” attacks, which targeted more than a million Android devices and gained access to the users’ Google accounts, experts are suggesting that a flood of simlar smartphone hacking incidents may be on the way in 2017.
The Chinese hackers behind Gooligan were making as much as $500,000 a month by exploiting their access to the phones, according to Michael Shaulov, director of mobile security for Checkpoint, the California-based cyber-security firm that tipped off Google to the Android security problem.
“Professional hackers, they are financially motivated,” Shaulov says. “What they’re looking for is a repeatable and scalable business model.”
And the scheme behind Gooligan may be just that.
To understand the nature of this new threat—and why it may soon be targeting your own phone—it helps to understand how the Gooligan attacks generated revenue for the hackers.
Scamming App Marketers
In this case, Shaulov says, the business model consisted of scamming marketing companies such as Mobvista, Apsee, Startapp, and the Google-owned AdMob into paying for what looked like successful, legitimate efforts to boost the popularity of certain mobile apps. (Consumer Reports reached out to those digital marketing firms but got no response.)
In reality, the increased activity was being generated by hackers who took over the affected phones and made them open dozens, and even hundreds, of apps without the users’ knowledge.
“These are free downloads and what you’re trying to do is show engagement to investors,” says Steven Cohn, senior Linux administrator at Sovrn Holdings, a Colorado-based digital advertising exchange. “You pay the hackers maybe 50 grand and you get enough downloads to put you in the highlighted page in the app store.”
That means the phone-owning consumer wasn’t the primary target, but rather an unknowing middle man in the hackers’ attempts to defraud marketing companies that pay for improved app traffic.
According to Shaulov, Gooligan is an automated version of a much larger scam that affects the app market to the tune of billions of dollars a year. That involves digital download farms in places like Vietnam, where hundreds of workers reportedly sit with phones and SIM cards and continuously load, open, and comment on apps in an attempt to artificually boost traffic and engagement on marketplaces like the Google Play Store.
Exploits such as Gooligan potentially could allow criminals to increase the scale of this scam by eliminating the human element. Infected phones not only load and open apps without the user’s permission—and often without his or her knowledge—they even leave feedback on app marketplaces. “Cleans up my phone great” and “It is very good aps (sic)” are among the comments discovered by CheckPoint.
Hacking Google Accounts
Gooligan was part of a larger campaign that Google calls “Ghost Push” that compromised both older Android 4 and 5 phones and Google user accounts. Unsuspecting victims downloaded legitimate-seeming apps such as Stopwatch and WiFi Enhancer, which carried malware that then took over their phones. Google reported that as many as 1.3 million phones might have been affected, with as many as 13,000 new phones still being affected every day.
The Gooligan scheme had some issues that limited the hackers’ profits. For one thing, the avalanche of rogue apps—potentially hundreds on any device—quickly clogged the targeted phone, tipping off the user.
“If the hackers render your phone useless,” says Cohn. “They’ve in some sense killed their investment.”
But a slightly more sophisticated version of this malware could be made to operate surreptitiously, launching just a few apps quietly in the background without the user ever suspecting.
More importantly, this data breach may herald a new wave of sophisticated attacks aimed primarily at smartphones. While PCs and corporate servers remain the primary target for hackers, that might not be the case for long.
“This is bound to get worse. Phones are a much more attractive platform [than PCs],” says Cohn, explaining that the number of phones worldwide is huge, and many phone users fail to take even basic security precautions.
Almost inadvertently, the Gooligan hackers also demonstrated the vulnerability of a far bigger prize than the phones themselves—the victims’ Google accounts.
The hackers seemingly accessed the victims’ Google accounts just to make it harder to rid devices of the malware.
Gooligan can only be completely defeated by “reflashing” the affected phone, a tech-intensive process that needs to be done by a carrier or a savvy technician. If a user merely restores the phone to factory settings, the next trip to an affected Google account will re-infect the phone. And that is continuing to happen now, three weeks after the Gooligan hack was made public.
Adrian Ludwig, Google’s chief security engineer for Android, reports that no fraudulent activity, aside from the unauthorized loading of the apps, was discovered within the affected accounts.
“The motivation behind Ghost Push is to promote apps, not steal information,” he wrote in a document posted to Google+.
But that could change, and exploiting access to users’ account data could be a logical next step for a new generation of criminals. Once hackers have access to the information in a Google account, it could be used for mischief such as resetting the passwords to accounts at banking and other financial institutions.
And that could mean serious trouble for consumers.