Hunting down Gooligan

This talk provides a retrospective on how during 2017 Check Point and Google jointly hunted down Gooligan – one of the largest Android botnets at the time. Beside its scale what makes Gooligan a worthwhile case-study is its heavy reliance on stolen oauth tokens to attack Google Play’s API, an approach previously unheard of in malware.

This talk starts by providing an in-depth analysis of how Gooligan’s kill-chain works from infection and exploitation to system-wide compromise. Then building on various telemetry we will shed light on which devices were infected and how this botnet attempted to monetize the stolen oauth tokens. Next we will discuss how we were able to uncover the Gooligan infrastructure and how we were able to tie it to another prominent malware family: Ghostpush. Last but not least we will recount how we went about re-securing the affected users and takedown the infrastructure.

Print Friendly, PDF & Email
Elie Bursztein

Elie Bursztein

Anti-fraud and abuse research team lead at Google
Anti-abuse research lead
Elie Bursztein

@elie

Work at Google. Lead the anti-abuse research team. Make Chrome safer & faster. Wear berets. Do magic tricks and blog at http://t.co/lOQQRyt0gF
Bitcoin mining now consume more electricity than 159 Countries including Ireland & most countries in africa… https://t.co/hK0qC2cZj5 - 21 hours ago
Elie Bursztein
Elie Bursztein

Latest posts by Elie Bursztein (see all)

Oren Koriat

Oren Koriat

SandBlast Mobile - Senior Analyst at Check Point Software Technologies
Oren Koriat

Latest posts by Oren Koriat (see all)