Gooligan Malware Breaches 1M+ Google Accounts

A resurgent Android malware has already breached more than a million users’ Google accounts—and is infecting an estimated 13,000 devices per day.   

The campaign, which Check Point Software dubs Gooligan, roots Android devices and steals the email addresses and authentication tokens stored on them. With this information, attackers can access users’ sensitive data from Gmail, Google Photos, Google Docs, Google Play and G Suite.

It also generates revenues for the criminals by fraudulently installing apps from Google Play and rating them on behalf of the victim. Every day, Gooligan installs at least 30,000 apps on breached devices, or over 2 million apps since the campaign began. And to make things worse, many of the apps are part of the Ghost Push family.

Gooligan targets devices on Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which represent nearly 74% of Android devices in use today. The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device, or by clicking on malicious links in phishing attack messages.

“This…represents the next stage of cyber-attacks,” said Michael Shaulov, head of mobile products at Check Point. “We are seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them.”

The Google security team has contacted affected users and revoked their tokens, removed apps associated with the Ghost Push family from Google Play, and added new protections to its Verify Apps technology.

“We appreciate Check Point's partnership as we’ve worked together to understand and take action on these issues,” said Adrian Ludwig, Google’s director of Android security. “As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall.”

Aaron Lint, vice president of research for Arxan, said that there’s a big lesson here for mobile app providers as well.

"This malware is ruling the phone and speaks to the importance of validating the mobile environment your applications run on,” he said, via email. “Your applications have a leg up if they can detect when rooting exploits have applied, causing the end user to be more susceptible to fraud and loss. Having that telemetry in your application can permit your risk prevention measures to be aware of users which have these compromised devices. our business can respond with extra monitoring, password and credential revocation,or even notifying your customers that they are at risk."

Check Point’s Mobile Research Team first encountered Gooligan’s code in the malicious SnapPea app last year. In August 2016, the malware reappeared with a new variant and has become virulent. About 40% of the affected devices are located in Asia and about 12% are in Europe.

Check Point is offering a free online tool that allows users to check if their account has been breached.

“If your account has been breached, a clean installation of an operating system on your mobile device is required,” added Shaulov. “This complex process is called flashing, and we recommend powering off your device, and approaching a certified technician or your mobile service provider, to re-flash your device.”

Photo © Benny Marty/

What’s Hot on Infosecurity Magazine?