Should you worry about Gooligan? (and what Google isn't telling you)


When you build a new technology that solves a real problem, you want to extol its virtues to the world and hopefully, save companies some headaches and money.  

Sometimes, it can seem like you are that tree falling in the forest that no one hears.


At Avast, we write often in this blog about the inherent dangers of mixing business with pleasure on your mobile device. And once again we’ve been proven right with the advent of Gooligan, the latest assault on the Android OS.

Recently, we wrote about the vulnerability of mobile OSes, Apple included.

And now not more than a couple of months later, here we are again.  

As we always say, if your IT policy allows personal devices to access to business apps, assume that the device has access to your entire business-critical infrastructure. Human nature and mobile development methodologies both play a role in this. We all know what a pain it is to remember and then type in passwords for app access. And so, most apps utilize a variety of long-term authentication tokens that allows users to log in once and stay logged in for an extended period of time. Convenient, yes. Secure, not necessarily.

Rooter malware like Gooligan and QuadRooter are capitalizing on this construct.  


And not to pile on, but Google’s response to this latest malware attack has been scripted to provide the best optics. Let’s break down what’s really going on and get to the bottom of your exposure.

1. Certification Matters

Do you know if your device is certified by Google? Does the manufacturer have a distribution agreement for Google Play and other Google apps? If not, you’re out of luck. Nothing that Google has done to combat Gooligan will help you and your device.

2. Google’s “Verify Apps” Service Only Goes so Far

"Verify Apps" is a reactive response that only works over known variants of previously identified malware. Finding these variants is a difficult and resource-intensive task that in most cases cannot be automated. Google relies on internal research and threat feeds from 3rd party sources (ie. AV vendors or firewall vendors like Checkpoint, et al.) to identify these threats. Then, Google marks that particular app as malignant.

This mechanism is not enough as it relies on the fact that these 3rd party sources have visibility over the entire market where these malware variants exist.

In this case, most Gooligan infections occurred in Asia, where most US companies lack such visibilityAsia is the market with the greatest amount of non-Google certified devices, not just because there are many low-cost devices that cannot be certified, but also because political and corporate-related matters — many Chinese distributors simply cannot be Google-certified.

3.  Lack of Centralization Leaves Many Devices Vulnerable

Given that there is no centralized mechanism for updating the Android OS, many devices will remain compromised. Google cannot go knocking door-to-door to get individual OEMs to update their version of the OS.

What can users do?

Third-party anti-virus solutions can help. Free services like Avast Mobile Security, for example, can detect and uninstall this malware.

What about businesses?

Long-term enterprise solutions should be sought out. One such solution is our very own Avast VMP — a virtualized mobile security platform.


In this case, Avast VMP would work in two ways:

First, when we talk about long-term authentication tokens, the malware would only be able to collect the Avast VMP login token. The user and the business apps delivered through Avast VMP would remain protected by the session passcode and TouchID. Also, IT controlled mechanisms on the server side such as geolocation and device approval would ensure only your device have access to the safe corporate assets.

Second, Avast VMP’s centralized management makes it impossible to trick users into installing infected apps in the VMP container. IT maintains complete control over which apps are available via Avast VMP (slick stuff, right?)

The Takeaway

2016 has seemed to spur more and more attention toward mobile device — with Gooligan squeezing in just before the start of a new year. This increased frequency of mobile hacks and lack of security solutions offered by manufacturers is making mobile security more of a necessity rather than precaution — especially for businesses.

If you're looking to keep your organization safe, check out our free Enterprise Mobility Management eBook. It covers the various types of mobile security solutions and how they work. Give it a look.

Subscribe to our blog for updates!