Android Malware Gooligan puts 1 million Google accounts at risk

Android’s battle against malwares is a never ending battle. Android is everywhere and the fact that Android represents over 88% of the entire smartphone market, presents a tempting target for criminals, and the Gooligan malware, a piece of malware that compromises Google accounts, is just the latest attempt to make a buck off the trusting nature of smartphone users.

Revealed today by Check Point Research, ‘Gooligan’ is at large right now and said to have compromised more than a million phones in the last few months, and is continuing to compromise information from 13,000 devices each day.


There have been so many stories of Android malware attacks that they have begun to grow dull, but this one you might want to pay attention to. If you’ve installed apps from a 3rd party app store (i.e. not the Google Play Store), then you might have installed a Gooligan-infected app.

Fun fact : 86 apps available in third-party marketplaces can root 74 percent of Android phones.
Fun Fact : That’s not really funny

Gooligan is a variant of Ghost Push, which Google has been aware of since last year. It only works on versions of Jelly Bean, KitKat, and Lollipop—all newer versions are patched. Together, those operating systems account for 74 per cent of Android devices in use today, totalling around 1.03 billion. Upon being installed by the user, it downloads a root exploit like Towelroot to gain full access to the device. The malware copies the user’s account token and sends it to a remote server, giving the malware authors full access to the account data (all your Google apps — like Photos, Drive, and Docs).

Check Point says this is the “largest Google account breach to date” and the majority of these accounts are concentrated in Asia, thanks possibly to heavily skinned cheap phones that do not get updates not only from the Chinese OEMs but also from the likes of Samsung and LG who usually forget the budget offerings.


This basically highlights that same problem Android has had forever, more than the flaws in code, or anything else. Fragmentation. The latest Android distribution numbers saw Android’s latest OS version, Nougat, debut at just 0.3%. Marshmallow rose 5.3 percentage points to 24%, but Lollipop and KitKat both rose to 34.1% and 25.2%, respectively.

So not only are older phones not upgrading but OEMs are launching new devices powered by three year old software. How’s that for a fun fact.

Scary stuff. But it gets worse. Gooligan also injects code into the Google Play Store (the one that should be the safe one, in comparison to the aforementioned 3rd-party stores) and downloads infected fraudulent apps. To monetize all these phones that have been hacked, the attackers are showing tons of ads in these fake apps, and Check Point says that as many as 30,000 of these are being downloaded daily.

Gooligan is spreading at an alarming rate. However, since finding the bug, Check Point has been working closely with Google to see the malware defeated and the vulnerabilities which allow it to be patched up. They’ve also created an online tool to check your account to see if it’s been compromised.. If you’ve downloaded apps from outside of the Play Store, you may want to check your account.

If your account has been breached, the following steps are required:

  1. A clean installation of an operating system on your mobile device is required (a process called “flashing”). As this is a complex process, we recommend powering off your device and approaching a certified technician, or your mobile service provider, to request that your device be “re-flashed.”
  2. Change your Google account passwords immediately after this process.

Although if you’ve not disabled Google’s ‘Verify apps’, which is turned on by default in Android 4.1 (Jelly Bean) and onward, you don’t have to worry much. Between this and protections in place on the Play Store, estimates put some 92 percent of devices out there as being safe from Gooligan.

Via : ArsTechnica

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Powered by

Up ↑