A new malware variant discovered by Check Point Software Technologies and dubbed Gooligan has spread at the rate of 13,000 devices a day and has become the first to root more than a million devices.
In this context, 'root' means to gain access to all functions of the operating system. Normally, certain aspects of a phone or tablet are shielded, partly for commercial reasons (for example, to prevent the removal of bundled applications) but also to prevent apps from doing things they shouldn't. So a malicious app may start by rooting a device so it can get up to no good.
And that's what Gooligan does, at least on device running Android 4 (Jelly Bean, KitKat) or 5 (Lollipop).
If an app infested with Gooligan is installed, or if a user clicks on a link delivered by a phishing attack text message, the malware roots the device and steals email addresses and authentication tokens, which can be used to access the user's Google account (think Gmail, Google Photos, Google Drive, and so on).
It then installs apps from Google Play and rates them (presumably to make them seem more attractive to other people) without the user's involvement. More than 2 million apps have been installed this way.
Check Point has set up an online service to check whether particular email addresses are known to have been compromised by Gooligan.
A clean reinstallation of Android is required if a device has been infected by Gooligan, Check Point said, suggesting that the manufacturer or carrier be contacted for assistance. See this Check Point blog post for more information.
Source: Check Point Software Technologies
The current Gooligan variant was discovered in August and immediately reported to Google, which responded by contacting users known to have been infected, revoking their authentication tokens, removing apps from Google Play, and stepping up the checks performed on apps before they are admitted to the store.