Android malware ‘Gooligan’ breaches over a million Google accounts


Gooligan Android malware

Mobile device users are once again at high risk, as a new Android malware has emerged that breached over one million Google accounts since August. Called “Gooligan”, the malicious development is found to be infecting as many as 13,000 devices each day.

The Android malware roots infected devices and then steals email addresses and authentication tokens to access sensitive user data from Gmail, Google Photos, Google Docs, Google Play, Google Drive and G Suite, researchers from Check Point Software Technologies claimed in a recent study.

Initial research reveals that “Gooligan” potentially affects devices on Android 4 (Jelly Bean as well as KitKat) and the Android 5.0 (Lollipop) platforms that jointly account for over 74 percent of the total in-market devices. Notably, about 57 percent of the affected devices from the Asian region, while 9 percent are located in Europe.

“This theft of over a million Google account details is very alarming and represents the next stage of cyber- attacks,” said Michael Shaulov, Check Point’s head of mobile products, in a statement.

Leveraging the vulnerability on old Android platforms, attackers gain backdoor access on the infected devices and then generate revenue by fraudulently installing apps from Google Play store.

It is worth noting that “Gooligan” is not available on the apps listed on Google Play. However, it spreads infection on devices through apps installed from third-party app stores. Once users install a “Gooligan”-infected app, it sends data about the device to the primary server of attackers and thereafter automatically downloads a rootkit that results in the breach.

“We are seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them,” said Shaulov.

A member of “Ghost Push” malware family

Since 2014, the Android security team has been malware family “Ghost Push” that includes “Gooligan” as a variant. Google’s director of Android security Adrian Ludwig in a Google+ post confirms a development to protect users.

“As a part of our ongoing efforts to protect users from the Ghost Push family of malware, we have taken numerous steps to protect our users and improve the security of the Android ecosystem overall,” Ludwig said.

Though Ludwig acknowledges the malware, he mentions that his team has not replicated any evidence of user data access. “The motivation behind Ghost Push is to promote apps, not steal information, and that held true for this variant,” he stated.

Updates for protection

Ludwig recommends users to install software updates frequently to reduce risk, as the malware affects older platform versions. Furthermore, Android users who suspect the breach of their Google accounts can go through “flashing” process and reinstall the operating system on their devices. They also need to change passwords of their accounts after completely “flashing” the devices.


  1. […] malware gains root privileges of the infected device to exploit the security. It uses an app called Baidu Easy Root to gain the […]


Please enter your comment!
Please enter your name here