Enterprise messaging under fire from Android malware

14 December, 2016 by Ouriel Weisz

As November 2016 ended, enterprises with an extensive bring your own mobile device (BYOD) program for employees were given something new to worry about.

Researchers at the security company Check Point announced the discovery of an aggressive virus that targets mobile devices with the Android operating system.

The malware, known as Gooligan, is reported to have already infected over a million devices and is spreading at the rate of 13,000 new devices every day.

Two-pronged attack

Gooligan is spread in one of two ways. 

Either a user downloads a fake app from an unofficial store outside of Google Play or they receive a phishing message with a malicious link to the malware embedded within it.

If for a moment we suppose workers are responsible people and not the kind to take risks with third-party app stores we can probably mostly rule out this vector as a serious threat to enterprise.

The same cannot be said of messaging which often appears to have been sent by a friend or known contact.

With 97% of workers today using some form of mobile messaging app it is easy to see the scale of the threat to large organizations.

Con trick exposes enterprise accounts

Gooligan is the latest variation of a ploy cyber criminals use to attack computer systems via email.  Instead of targeting network computers, the difference is they now aim to trick unwitting mobile users into downloading an infected payload onto their device where it takes control of the phone.

If Gooligan succeeds in taking over a phone, information relating to the victim’s Google account is shared with a remote server belonging to the attacker. From there, it may be used to gain access to that person’s complete range of Google accounts including Gmail, Google Docs, Google Drive, Google Photos, G Suite and other data regardless of whether or not two-factor authentication is turned on.

In its research, Check Point was able to actually track down the remote server itself.  It contained details of 1.3 million actual Google accounts.

So far most of the victims affected by Gooligan are in Asia (57%), followed by America (19%), Africa (15%) and Europe (9%).

In its research, Check Point was able to actually track down the remote server itself.  It contained details of 1.3 million actual Google accounts.

Among them were many hundreds of corporate Google accounts.

Messaging apps and the risk to CEOs

Gooligan is a perfect example of how mobile messaging apps can be used to proliferate corporate phishing campaigns.

Just imagine what an impact an attacker might have if they were to, for example, use one of these corporate Gmail accounts to mount a CEO phishing campaign.

CEO email scams involve conning employees into transferring company funds by sending them an email that supposedly comes from the CEO.

The FBI recorded 17,642 victims of these so-called “business email compromise” scams between October 2013 and February 2016.

At least one CEO has lost their job over it.

Now that email scams are spreading to mobile messaging apps CEOs need to do more to protect themselves against this kind of attack.

Tips for taking back control

Among other things it means the organization needs much more security and control built into their group messaging and collaboration applications than the market brand leaders are able to supply.

Top tips to protect your organization from Gooligan include:

  • Never download any software from an unauthorized app store.
  • If you or anyone else in the company should fall victim get the IT department to do a clean installation of the OS on the infected device. Also immediately change passwords to all Google accounts belonging to the victim.
  • Finally, protect yourself from future mobile phishing campaigns by deploying an enterprise secure group messaging and collaboration platform that allows your IT department to retain full control over team chats between employees.

In summary, malware campaigns like Gooligan are proof that threat actors are turning their attention to mobile devices.  Put simply, they perceive mobile to be more vulnerable and individual users to be less vigilant. 

Attackers also know that messaging systems are a great way to trick users into spreading a successful campaign against an operating system like Android.  And, as Gooligan shows, many of those affected are workers who go on to infect corporate email accounts with malware.

An enterprise’s best defence is to deploy a group messaging and collaboration platform that has strong authentication and encryption built in and is designed to ensure the company’s IT professionals have full, centralized control of the technology.