Gooligan: Malware is not the only problem
December 2016 by Dennis Monner, CEO of German security specialist Secucloud
Many users of Android mobiles have been alarmed by a recent warning that the Gooligan malware has infected over a million devices around the world, although only about 9 per cent of the victims are located in Europe. Gooligan targets the older versions 4 and 5 of the Android operating system – and is very successful doing so. That should start the warning bells ringing. Malware like Gooligan is unfortunately not uncommon and will continue to make headlines in the future. It is an illusion to think that users are going to change their behaviour and are really able to take control of their security. That is why we need a different solution to block this and similar threats.
The cyber-criminals behind Gooligan exploit two security vulnerabilities that enable them to take control of smartphones, steal access codes for the user’s Google accounts and misuse them. That does not only sound threatening, it really is. While the security vulnerabilities have been resolved in the current version of Android, Marshmallow – or version 6.x – had only been installed on just over 10 per cent of devices in June this year and 24 per cent by November. This number is increasing, but it will still take some time until at least half of all Android smartphones are protected against Gooligan. This is because device manufacturers only provide irregular updates and some Android versions and devices cannot be updated at all.
User behaviour – risky but impossible to change
However, the risk of being infected by malware like Gooligan does not only come from the operating system. Cyber-criminals exploit user behaviour too – such as when users download apps from third-party providers’ app stores instead of the very secure Google Play Store. These providers may not check the uploaded app for threats as thoroughly as Google does, so infected apps often find their way into the stores and are then downloaded and installed by unsuspecting users.
It is easy to say that it is the users’ own fault if they get infected. If they want to use apps of dubious provenance, they should at least install a decent security solution on all their devices and take responsibility for their security themselves. However, this is totally unrealistic. Children and teenagers in particular will override warnings and install a must-have app, even if its source is dubious. And then there are all the mobile threats that can infect devices without the user doing anything, such as drive-by downloads. This is why it is cynical to expect users to take sole responsibility for their own security.
Local protection is no longer enough
Another aspect is that cyber-criminals will be targeting more and more devices due to the internet of things (IoT). For these devices, local protection may not exist or may be impossible to provide. The recent attacks on routers and IP cameras are examples of this. So how can we ask users to please make sure they are secure? Do we want to make them responsible and liable if their smart light bulb becomes part of an IoT botnet that carries out denial-of-service attacks? That would be unfair.
Threats like Gooligan make it even clearer that we need to think differently. The approach until now has been to protect devices individually – and this will be increasingly insufficient. Instead, security needs to be built into the internet itself. That is where threats must be detected and blocked.
Effective protection from Gooligan and others
This works best when the security solution is based in the cloud, such as in telecom providers’ infrastructure. That would ensure that all the customer’s internet traffic would be routed through this separate security system and searched for threats, but without violating the user’s privacy.
This type of solution also requires a multi-layer structure in order to maximise its security effectiveness. It would need to combine a variety of security technologies, ranging from signature-based malware detection and reputation services through to deep packet inspection, IDS/IPS, sandboxing and more. That would achieve a level of protection that, until recently, was only available to large enterprises.
A solution like this would protect all Android device owners from Gooligan, even if they were running an older version of the operating system. One example is our cloud-based security solution ECS2, which has been protecting devices from this threat since February 2015.