
More Than 1M Google Accounts Breached by Gooligan - idoco
http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/
======
ohyoutravel
Malware on your Android device picked up from third party app stores (FDroid?
Amazon?) that steals email accounts and auth tokens. Looks like it only works
on the older Android 4 Jellybean software (and some Android 5 Lollipop) and
below, so mostly concentrated in Asia where there are lower-end phones.

You can see if your account has been affected here:

[https://gooligan.checkpoint.com/](https://gooligan.checkpoint.com/)

~~~
dsacco
Thanks for making this comment. This post is a wonderful example of the
rampant marketing that has given the security industry a bad name.

\- The title is technically accurate, which is the best kind of accurate for
clickbait. This is not a novel vulnerability representative of an application
security flaw within Google - the malware campaign specifically targets older
devices using previously known vulnerabilities.[1] There is no new exploit
research here.

\- There's a logo and cute name for something which is, again, _not a novel
vulnerability._ [2]

\- Scaremongering tactics are used throughout to hype up the finding.[3][4]
Deliberately ominous language like _"...for now"_ is perhaps tolerable when
it's coming from a media outlet, but it's certainly unacceptable from a firm
conducting original security research.

All things told, this is closer to "threat intelligence" than real security
research. A much better source for this news is the blog post by Google's
Director of Android Security, Adrian Ludwig (first footnote, linked elsewhere
in this thread as well). In particular, notice the succinctness and the
serious, yet detached professionalism associated with the post.

In any case, there are legitimate arguments to be made in favor of extending
software or device support lifetimes for vulnerability patches, but the onus
is on device manufacturers to coordinate this. In the meantime, it would be
great if fewer firms practiced this sort of manic self-promotion, but
unfortunately there's little incentive not to.

\-------

1\.
[https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi](https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi)

2\. [http://blog.checkpoint.com/wp-
content/uploads/2016/11/goo_bl...](http://blog.checkpoint.com/wp-
content/uploads/2016/11/goo_blog.jpg)

3\. [http://blog.checkpoint.com/wp-
content/uploads/2016/11/info_4...](http://blog.checkpoint.com/wp-
content/uploads/2016/11/info_4_REVISED_11.23.16.jpg)

4\. [http://blog.checkpoint.com/wp-
content/uploads/2016/11/info_2...](http://blog.checkpoint.com/wp-
content/uploads/2016/11/info_2_REVISED-11.23.16-Copy.jpg)

~~~
Pxtl
That's not to say Google has no responsibility in this. Google's OS has a
terrible security-update policy. Being able to buy a _new_ computing device
from a store that will receive no security updates is terrible, and is fairly
common in Android devices.

Now, there are valid technical reasons that Google can't be as good as
Microsoft at pushing out updates to every device running their OS, but still,
it's hard to say that Google has made fixing this problem a priority. Even
their own 1st-party devices have a pathetic 2-year upgrade window _from
launch_ , which, I'll remind you, still means somebody can buy last year's
device on a store shelf and stop getting security updates before the device is
even out of warranty.

~~~
sqeaky
> Being able to buy a new computing device from a store that will receive no
> security updates is terrible, and is fairly common in Android devices.

This seems like the kind of problem the free market could solve. Just get one
phone vendor to guarantee secruity updates for a few years and then some
customers will start buying those phones. After a while other vendors will
start promising it or losing sales.

~~~
rpedroso
The underlying assumption is that a multitude of users would switch to devices
produced by such a manufacturer. This, I think, overestimates how much most
users currently care about security.

As it turns out, there are more secure devices in the marketplace than the
affected phones, but they cost more. All other things equal, a contractual
obligation for security policies would increase the cost (and thus price) of
devices, and users would likely stick with cheaper options.

~~~
curt15
>This, I think, overestimates how much most users currently care about
security.

The media has failed to inform the lay public about this issue. Users could be
made to care about security with the right messaging. Your average user may
not understand OS updates but the issue can be phrased simply in terms of
product defects which the manufacturer refuses to fix and that put their
personal info at risk.

------
pierrec
Just to be clear, they didn't obtain any passwords, but auth tokens. This
would potentially allow them to log into accounts, but only as long as the
tokens are valid.

Also, they don't reveal which "third party app stores" served infected apps,
but they do provide a list of infected apps, and searching for these yields
some real shady download sites:
[http://imgur.com/a/0luW3](http://imgur.com/a/0luW3)

~~~
knz
Does 2FA help in this situation? If the token signs in from a previously
unknown device/server wouldn't it prompt for authentication details?

~~~
haswell
FTA:

> While Google implemented multiple mechanisms, like two-factor-
> authentication, to prevent hackers from compromising Google accounts, a
> stolen authorization token bypasses this mechanism and allows hackers the
> desired access as the user is perceived as already logged in.

The trouble is that auth tokens are generally not tied to a specific device or
IP. There aren't really any mechanisms for this in standard OAuth 2.0 flows
(if indeed this is what they're using).

------
n1tro
I used to work in an ad-tech company focused on mobile cpi offers that for
several months paid the salaries of everyone involved by injecting malware in
cracked apps on several third party app stores (they were making a profit out
of it enough to dedicate a team only for this).

They even managed to automate all the process of "selling" cracked apps on
third party stores. It is amazing how easy it is to trick broke 13yr old kids
into installing stuff on their phones.

I left shortly after i found out about this.

~~~
Normal_gaussian
This is one of the reasons we may need to look into self-regulation. Name
them?

~~~
Filligree
Never mind self-regulation, what he described is outright illegal. In most
countries, so is not reporting them to the police once you know about it.

~~~
Normal_gaussian
Absolutely, however with self regulation and a standards body they will find
it much harder to get Engineers in the first place.

------
devy
We were just reading "Android security in 2016 is a mess"[1] 2 days ago and
now we have another great example for it.

[https://news.ycombinator.com/item?id=13056288](https://news.ycombinator.com/item?id=13056288)

~~~
tdkl
"Windows is a mess because you can install a virus executable on it."

"You can't install Windows software outside App Store anymore, MS is taking
muh freedoms."

You can't win.

~~~
burkaman
You definitely can't win, but those two complaints are not mutually exclusive.
Instead of locking down apps to solve the first problem, in theory Microsoft
could have redesigned Windows to make third party executables less of a risk.
Obviously that's harder, but it's not hypocritical to make both those
statements.

~~~
tdkl
I'm not exactly a fan of those, but I think MS is already doing that with UWP,
which apps weren't exactly greeted with rejoice.

~~~
mtgx
UWP apps can't be run outside of the MS store. So that's the lock-in he was
talking about. It would be nice if Microsoft enabled "mini-VMs" for legacy x86
apps at least.

That way it could shoot two birds with one stone - make x86 apps a little
slower and more resource intensive, and thus give both users and developers a
reason to switch to UWP, while at the same time it would also make legacy x86
apps vastly more secure.

~~~
amyjess
Windows 10 allows you to turn on sideloading. Going through the Windows Store
is no longer a requirement.

~~~
pawadu
but then again, how is that different from android of today?

------
m00dy
Checking your email address in such sites looks like a great way to collect
email addresses

~~~
mathrawka
Hey Eren,

It's not like that email addresses are that hard to find when they are listed
on websites publically...

    
    
      ereny*gdir*n[@AT]gm*il

~~~
m00dy
It requires manual interaction and obviously not scalable.

~~~
mathrawka
It's pretty easy to automate an email harvester.

Then again just <firstname><lastname>@(gmail|yahoo|hotmail).com works for a
lot of people.

~~~
komali2
I'm convinced adding my middle initial to my email has been the most effective
spam prevention technique I've implemented.

------
mapleoin
Does anyone else use a special account for their Android phone that they don't
use for anything else?

~~~
4rtemis
I don't use a Google account on my android phone. Cyanogenmod sans google
anything.

~~~
YCode
So I guess you don't have access to Google Play?

How do you get apps?

~~~
jasonkostempski
I've got a few crutches I'm not ready to give up so I'm on regular Android but
I've been starting down the path of using F-Droid only apps so I can trasition
more smoothly when I'm ready. The only app I've got left is Maps, OsmAnd is a
little too tedious for me but I'll convince myself it's worth it eventually.
I'm also concerned that I might not be able to get Project Fi working quite
right.

~~~
deep_attention
I am using "Here WeGo" [https://here.com/](https://here.com/) (originally
developed by Nokia), quite a good alternative to Google Maps. It does not need
any Google services installed. Downloaded it directly from the Google Play
store with Raccoon.

~~~
jasonkostempski
Hmm, that Raccoon thing seems ok but using something like that would be a bit
of a sideways move for me. I'd rather move toward 100% libre software and not
rely on proprietary software I'll need to hack around to maintain privacy.

~~~
deep_attention
Then I would suggest Neo900 [https://neo900.org/](https://neo900.org/) . Good
presentation about the concept:
[https://neo900.org/stuff/cccamp15/ccc2015talk/talk.pdf](https://neo900.org/stuff/cccamp15/ccc2015talk/talk.pdf)

------
alexcason
Cached:
[http://webcache.googleusercontent.com/search?q=cache:http://...](http://webcache.googleusercontent.com/search?q=cache:http://blog.checkpoint.com/2016/11/30/1-million-
google-accounts-breached-gooligan/)

------
lucb1e
So wait this is phishing, not actually hacking into Google to breach accounts
if I understood it correctly?

In that case, I suppose the title might be technically correct (those accounts
are indeed breached), but it makes it sound like Google is to blame.

~~~
tyingq
Not really phishing, just malware hosted on different app stores. And the
Google post[1] seems to indicate perhaps some of them were on the official
Play store. I read _" These apps are most often downloaded outside of Google
Play"_ as _" maybe some were downloaded from Google Play"_.

[1][https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi](https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi)

------
jrochkind1
> While Google implemented multiple mechanisms, like two-factor-
> authentication, to prevent hackers from compromising Google accounts, a
> stolen authorization token bypasses this mechanism and allows hackers the
> desired access as the user is perceived as already logged in.

What's the right fix here? Should auth tokens be ip-address-tied? How much
will that break? Or would that not even fix it?

~~~
rolodato
Token binding would solve this by binding OAuth tokens to TLS connections, so
they can't be used even if stolen: [https://tools.ietf.org/html/draft-jones-
oauth-token-binding-...](https://tools.ietf.org/html/draft-jones-oauth-token-
binding-00)

~~~
notJim
Would this mean that the token is only good for the duration of the connection
though? Most apps on mobile hold tokens that ~never expire (iirc I've never
had to re-auth the Gmail app.)

------
neotek
And still people complain that Apple refuses to allow third-party app stores.

~~~
jazoom
I get from this that the thing Apple did right wasn't preventing other install
sources, but rather that they control all their updates.

------
X86BSD
The difference between iOS and android could not be more clear in this regard.
It's interesting to see the difference in security between the two. It's night
and day. Google has some serious problems to address. But it seems like they
don't care. Their track record is deplorable regarding android security. Is
this really the best google can do?

~~~
tdb7893
Most android isn't stock and there are a ton of old versions out there so it's
a little apple to oranges. I think if you would have a phone created by google
and keep it up to date it would probably be pretty secure.

~~~
dep_b
I didn't hear any customer beg for a customized version of Android. Rather
"stock Android" seems to be a selling point nowadays.

It's just a bunch of marketing weenies looking for "an unique opportunity to
put focus on the brand". Seldom I see things (like multitasking in some
Samsung devices before it came to Android) that would really help the end
user.

------
jalajc
Is there a way to know if my email is on list of breached?

~~~
favadi
Right in the article:
[https://gooligan.checkpoint.com](https://gooligan.checkpoint.com).

