{"Event":{"info":"OSINT - GOOLIGAN - More than a million Google accounts breached","Tag":[{"colour":"#004646","exportable":true,"name":"type:OSINT"},{"colour":"#ffffff","exportable":true,"name":"tlp:white"}],"publish_timestamp":"0","timestamp":"1481720562","analysis":"2","Attribute":[{"comment":"","category":"External analysis","uuid":"58513820-85dc-4699-9470-4c81950d210f","timestamp":"1481717792","to_ids":false,"value":"Gooligan, a new variant of the Android malware Check Point researchers found in the SnapPea app last year, has breached the security of more than a million Google accounts, potentially exposing messages, documents, and other sensitive data to attack.\r\n \r\nThis new variant roots devices and steals email addresses andauthentication tokens stored on the device. With this information, an attacker can access a user\u2019s Google account data like Google Play, Google Photos, Gmail, Google Drive, and G Suite.","disable_correlation":false,"object_relation":null,"type":"comment"},{"comment":"","category":"External analysis","uuid":"5851382e-995c-49fc-ad0f-43b1950d210f","timestamp":"1481717806","to_ids":false,"value":"http://blog.checkpoint.com/wp-content/uploads/2016/12/Gooligan-Research-Report.pdf","disable_correlation":false,"object_relation":null,"type":"link"},{"comment":"initiation C&C server","category":"Network activity","uuid":"58513976-b458-4d98-89ee-45aa950d210f","timestamp":"1481718134","to_ids":true,"value":"http://api2.appsolo.net/ggview/rsddateindex","disable_correlation":false,"object_relation":null,"type":"url"},{"comment":"initiation C&C server","category":"Network activity","uuid":"58513977-0668-47f5-b34a-4bb9950d210f","timestamp":"1481718135","to_ids":true,"value":"http://sys.hdyfhpoi.com/ggview/rsddateindex","disable_correlation":false,"object_relation":null,"type":"url"},{"comment":"initiation C&C server","category":"Network activity","uuid":"58513977-1544-4c4a-be60-4967950d210f","timestamp":"1481718135","to_ids":true,"value":"http://sys.syllyq1n.com/ggview/rsddateindex","disable_correlation":false,"object_relation":null,"type":"url"},{"comment":"initiation C&C server","category":"Network activity","uuid":"58513978-12d0-4f68-bf3e-40c7950d210f","timestamp":"1481718136","to_ids":true,"value":"http://sys.wksnkys7.com/ggview/rsddateindex","disable_correlation":false,"object_relation":null,"type":"url"},{"comment":"Exploit kit","category":"Payload delivery","uuid":"58513a1b-4d2c-4701-a641-4c76950d210f","timestamp":"1481718299","to_ids":true,"value":"http://down.vcrlwlen.com/thinking/group/rt1028_648.apk","disable_correlation":false,"object_relation":null,"type":"url"},{"comment":"","category":"Payload delivery","uuid":"58513a69-a980-43f0-a7f1-40be950d210f","timestamp":"1481718377","to_ids":true,"value":"/system/lib/igpld.so;","disable_correlation":false,"object_relation":null,"type":"filename"},{"comment":"","category":"Payload delivery","uuid":"58513a69-beac-49e6-858e-4c50950d210f","timestamp":"1481718377","to_ids":true,"value":"/system/lib/igpfix.so;","disable_correlation":false,"object_relation":null,"type":"filename"},{"comment":"The file /system/xbin/igpi is used to inject binary library into a remote process","category":"Payload delivery","uuid":"58513a97-8e78-480b-8055-4089950d210f","timestamp":"1481718547","to_ids":true,"value":"/system/xbin/igpi","disable_correlation":false,"object_relation":null,"type":"filename"},{"comment":"","category":"Payload delivery","uuid":"58513a98-3aac-473b-a74f-431d950d210f","timestamp":"1481718424","to_ids":true,"value":"/system/lib/igpld.so","disable_correlation":false,"object_relation":null,"type":"filename"},{"comment":"","category":"Network activity","uuid":"58513c03-7614-48db-8d46-46eb950d210f","timestamp":"1481718787","to_ids":true,"value":"g.omlao.com/igp/api/1","disable_correlation":false,"object_relation":null,"ty
