Gooligan Malware Breached Over One Million Google Accounts

Ray Walsh

Ray Walsh

November 30, 2016

It has been revealed that a type of malware called Gooligan has breached over one million Google accounts. The malware campaign, which is still attacking more devices, is adding an extra 13,000 android devices to its victim list every day. These were the findings of the cyber security firm Check Point, who claim that the malware is a new variant of the SnapPea malware they discovered last year.

The team’s research has exposed that the terrifying Gooligan malware attacks Android devices running Jelly Bean, KitKat, and Lollipop, which is over 74% of devices on the market today. According to the team, the malware “roots infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.”

Ghost Push – Malware


Check Point has already approached Google to explain the problem to its security team and say that they are “working closely with Google to investigate the source of Gooligan.” In fact, both SnapPea and Gooligan are part of a family of malware exploits called ‘Ghost Push.’

According to Adrian Ludwig, Google’s director of Android security, the firm has been tracking the Ghost Push malware for two years:

“Since 2014, the Android security team has been tracking a family of malware called ‘Ghost Push,’ a vast collection of ‘Potentially Harmful Apps’ (PHAs) that generally fall into the category of ‘hostile downloaders.’ These apps are most often downloaded outside of Google Play and after they are installed, Ghost Push apps try to download other apps.”

Gooligan – the Latest Evolution


Ludwig then goes on to explain that the Ghost Push malware has continuously evolved and that Gooligan is only the most recent form of the malware. According to the top security executive at Google, the firm found variants of the malware in as many as 40,000 apps in 2015 alone:

“Ghost Push has continued to evolve since we began to track it. As we explained in last year’s Android Security report [], in 2015 alone, we found more than 40,000 apps associated with Ghost Push. Our actions have continued at this increasingly large scale: our systems now detect and prevent installation of over 150,000 variants of Ghost Push.”

In Check Point’s blog post on the subject, the team explains that the malware is controlled via a command and control (C&C) server. The malware itself makes its way onto infected Android devices in the form of a phishing campaign or in apps downloaded from third party app providers (outside of the Google Play store).


How it Works

Once infected, the malware roots the device, giving the cyber attacker access to the device’s core functionality. As soon as it is rooted, the malicious software downloads a new module and steals Google accounts and authentication tokens. Next, Gooligan accesses Google Account services including Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and any the other Google services attached to the Google account in question. With access to Google Play achieved, the malware can then go onto inject codes into Google Play in order to download more fraudulent apps.

Mr Ludwig has praised Check Point for its ongoing work to help Google to contain the problem as much as possible:

“We’re appreciative of both Check Point’s research and their partnership as we’ve worked together to understand these issues. As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall.”

According to Check Point, users in Asia appear to be the worst affected:


What You Should Do

The good news is that Google is doing a number of things to quell the growing problem. This includes notifying affected users, revoking tokens that are known to have been affected and deploying SafetyNet improvements. In addition, Check Point has set up a service for people to check if their devices have been affected.

Anybody with an Android device is advised to quickly check to see if their device has been compromised. If the malware is found on your device you should do the following:

1. Get your Android device ‘flashed’ with a fresh version of the operating system. This can be quite tricky and should be done by a proper technician unless you are highly confident about doing it properly. As such, you should approach your smartphone provider if you have one.

2. Change your Google account passwords online as soon as possible and don’t access them on the infected device (they will automatically sign out of other devices if you do it using a PC online).

As always, we recommend that you stay away from third party app stores and strongly advise you to be extremely careful when confronted with emails and SMS messages with links to apps.

Exclusive Offer
Get NordVPN for only