The fight against Ghost Push continues

Since 2014, the Android security team has been tracking a family of malware called 'Ghost Push,' a vast collection of 'Potentially Harmful Apps' (PHAs) that generally fall into the category of 'hostile downloaders.' These apps are most often downloaded outside of Google Play and after they are installed, Ghost Push apps try to download other apps. For over two years, we’ve used Verify Apps to notify users before they install one of these PHAs and let them know if they’ve been affected by this family of malware.

Ghost Push has continued to evolve since we began to track it. As we explained in last year's Android Security report [https://goo.gl/yrSqAG], in 2015 alone, we found more than 40,000 apps associated with Ghost Push. Our actions have continued at this increasingly large scale: our systems now detect and prevent installation of over 150,000 variants of Ghost Push.

Several Ghost Push variants use publicly known vulnerabilities that are unpatched on older devices to gain privileges that allow them to install applications without user consent. In the last few weeks, we've worked closely with Check Point [https://www.checkpoint.com/], a cyber security company, to investigate and protect users from one of these variants. Nicknamed ‘Gooligan’, this variant used Google credentials on older versions of Android to generate fraudulent installs of other apps. This morning, Check Point detailed those findings on their blog.

As always, we take these investigations very seriously and we wanted to share details about our findings and the actions we've taken so far.

Findings

- No evidence of user data access: In addition to rolling back the application installs created by Ghost Push, we used automated tools to look for signs of other fraudulent activity within the affected Google accounts. None were found. The motivation behind Ghost Push is to promote apps, not steal information, and that held true for this variant.
- No evidence of targeting: We used automated tools to evaluate whether specific users or groups of users were targeted. We found no evidence of targeting of specific users or enterprises, and less than 0.1% of affected accounts were GSuite customers. Ghost Push is opportunistically installing apps on older devices.
- Device integrity-checks can help: We’ve taken multiple steps to protect devices and user accounts, and to disrupt the behavior of the malware as well. Verified Boot [https://source.android.com/security/verifiedboot/], which is enabled on newer devices including those that are compatible with Android 6.0, prevents modification of the system partition. Adopted from ChromeOS, Verified Boot makes it easy to remove Ghost Push.
- Device updates can help: Because Ghost Push only uses publicly known vulnerabilities, devices with up-to-date security patches have not been affected. Also, if a system image is available (such as those we provide for Nexus and Pixel devices[https://developers.google.com/android/images]) a reinstall of the system software can completely remove the malware.

Actions

- Strengthening Android ecosystem security: We’ve deployed Verify Apps [https://goo.gl/9rqdiH] improvements to protect users from these apps in the future. Even if a user tries to install an offending app from outside of Play, Verify Apps has been updated to notify them and stop these installations.
- Removing apps from Play: We’ve removed apps associated with the Ghost Push family from Google Play. We also removed apps that benefited from installs delivered by Ghost Push to reduce the incentive for this type of abuse in the future. Downloading apps from Google Play, rather than from unknown sources [https://goo.gl/9rqdiH], is a good practice and will help reduce the threat of installing one of these malicious apps in the future.
- Protecting Google Accounts: We revoked affected users’ Google Account tokens and provided simple instructions so they can sign back in securely. We have already contacted all users that we know are affected.
- Teaming-up with Internet service providers: We are working with the Shadowserver Foundation and multiple major ISPs that provided infrastructure used to host and control the malware. Taking down this infrastructure has disrupted the existing malware, and will slow the future efforts.

Recap

We’ve taken many actions to protect our users and improve the security of the Android ecosystem overall. These include: revoking affected users’ Google Account tokens, providing them with clear instructions to sign back in securely, removing apps related to this issue from affected devices, deploying enduring Verify Apps improvements to protect users from these apps in the future and collaborating with ISPs to eliminate this malware altogether.

This was a team effort within Google, across the Android security, Google Accounts, and the Counter-Abuse Technology teams. It also required close coordination with research firms, OEMs, and hosting companies. We want to thank those teams for their assistance and commitment during our ongoing efforts to fight Ghost Push and keep users safe.
Shared publiclyView activity