Android Malware ‘Gooligan’ Breaches More Than 1 Million Google Accounts


A security firm “Check Point Software Technologies”, uncovered an Android malware called ‘Gooligan’ that had accessed 1.3 Million Google accounts. This malware roots deeply onto the infected Android devices, and then allows itself to steal authentication records that could be used to access the data from Google Drive, Gmail, Google Play, G Suite, Google Docs, Google Photos and more.

Over 74% of Android Users are Vulnerable to Gooligan malware

Android 4 version (Jelly Bean, KitKat) and Android 5.0 version (Lollipop) are vulnerable to this Gooligan malware. Thus, more than 74% of Android devices could be affected by this malicious software. Although, the malware seems to be distributed mainly via applications downloaded from the third party app stores. For the most part, the users who only download their apps from Google’s Play Store should be safe, but the Google did mention that some of the apps related to this malware were also found on the Play Store. Most of the Android users that were infected by this malware live in Asia (57%), were installing apps from third party stores which is more common. Only 9% of the users infected with Gooligan are from Europe, while 19% of the infections happened in United States and rest 15% in Africa.

Plenty of Bogus Applications Infected By Gooligan

The Check Point security researchers identified numerous apps that came pre-loaded with this malware. Most were downloaded by unsuspecting users from third party stores, but some were also sent through messages in phishing campaigns. The malware was first uncovered last year by several security companies. That’s when the malware developers suspended their malicious campaign, until this summer, when the cyber criminals re-launched this malware with a new architecture that could inject the malicious code into the Android system processes.

gooligal-list3gooligan-list-2 gooligan-fake-apps

Fig: List of Fake Applications Infected with Gooligan Malware

According to the Check Point security company, the modifications in the architecture may help finance the phishing malware campaign via fraudulent ad activity. This malware could simulate clicks on advertisements, and then the developers of the Gooligan would get paid by the advert network for those installs. The company also said that the malware campaign has installed more than 2 Million apps since it launched.

Google’s Response on the Attack of Gooligan Malware

The computer security firm “Check Point Software Technologies”, uncovered an Android malware called ‘Gooligan’ that had accessed 1.3 Million Google accounts. Tck Point said that over 1 Million Google accounts were affected by this malware, Google claimed that there was no confirmation of user data access. Also, Google said that the motivation for Gooligan malware campaign seems to be promote applications and thereby make illegal money, but not to steal users’ confidential information. The firm also noted that the malware did not seem to target the specific users, and that only 0.1% of affected accounts were G Suite enterprise customers.


Fig: Gooligan Malware Compromises Google Accounts

Furthermore, Google announced that it deleted the applications that were installed by the Gooligan malware from users’ device. A little known power that the Google wields is the ability to install or remove apps on users’ devices, regardless of whether it is a Google Nexus, Pixel phone or an Android phone manufactured by other companies. However, this power is granted by Play services framework. The applications associated with Gooligan malware were also eradicated from the Google’s Play Store. The firm also said that it worked with various ISPs in order to disrupt the malware infrastructure to slow down the future efforts of infecting users.

Note: Check Point Software Technologies has developed an online tool in order to check if your Android device is infected with the Gooligan malware. By just entering your Google address into Gooligan Checker, you can easily find out if you have been hacked.

Leave a Comment

Your email address will not be published. Required fields are marked *