Gooligan Hooligans

Gooligan was unavailable for a photo, so here’s Gilligan instead.

Those poor hackers. Imagine not getting credit for your work when it goes on to fame, anonymity being recommended for staying out of prison. And no matter how clever a moniker you cook up for your creation, you’d know it’s destined for oblivion, since the privilege of naming it goes to those who detect it. All you can do is hope they come up with something worthy.

I bet a certain group of hackers in China were pleased when it got back to them that California-based cyber-security firm Check Point Technologies had dubbed their baby Gooligan. You have to admit the name has a ring.

An update of a larger scam from two years earlier, so far Gooligan has infected an estimated 1.3 million Android devices. According to Check Point,

Gooligan roots devices and steals email addresses and authentication tokens stored on the device. With this information, an attacker can access a user’s Google account data within Google Play, Google Photos, Gmail, Google Drive, and G Suite.

Owners of Gooligan-infected devices have suffered no direct damages as of this writing. Gooligan, it seems, was after larger prey: Companies that shell out big-time to elevate an app’s rating, pushing it nearer the top of searches, and thus increasing the likelihood of sales. As a recent Consumer Reports article put it, Gooligan tricked …

… marketing companies such as Mobvista, Apsee, Startapp, and the Google-owned AdMob into paying for what looked like successful, legitimate efforts to boost the popularity of certain mobile apps.

The same article reports, “The Chinese hackers behind Gooligan were making as much as $500,000 a month by exploiting their access to the phones.”

Gooligan and smartphone hacking

As I wrote last month, CreditCard.com predicted, “… as the ability to use counterfeit cards in stores dries up, fraudsters are expected to turn to other forms of fraud that prey on different vulnerabilities.” Though the article’s focus is on fraudulent credit card account use for Internet purchases, the Gooligan affair serves as a reminder of another, fast-growing danger, namely, smartphone hacking.

A recent Fiserv study showed that households banking via smartphone increased 17 percent in 2015. I wouldn’t be surprised if 2016 shows a greater increase. It would be unreasonable to think that hackers moving away from point-of-sale credit card fraud would limit themselves to online purchases. Not only are smartphones ideal hacking targets: Few users understand the need to secure their phones, and fewer bother doing so.

Financial institutions have an opportunity to provide a valuable service in the form of pointers for protecting smartphone and tablets from hackers. Suggestions might include installing vetted anti-virus / anti-malware software; using password or fingerprint protection; purchasing apps only through trusted sources like Google Play and iTunes; not accessing sites using financial or other personal data through unsecured wireless connections; accessing a website’s features and correspondence only from within and not, say, from emails; and installing operating system updates as fast as they’re released.

No need to worry about scaring clients. They’re already scared. Showing clients how to protect themselves is not so likely to alienate them as to bolster their confidence and win their appreciation for caring enough to share useful information.

Leave a Comment