Home GoAndroid Malware Named Gooligan Infected Over 1 Million Android Devices

Malware Named Gooligan Infected Over 1 Million Android Devices

Nov 30, 2016

Some bad news if you own an Android device or have a Google account, as it was discovered that malware called Gooligan has infected over one million Google accounts. A lot of the accounts that have been compromised were associated with enterprise users.

Gooligan Malware Hits 1 Million Android Users

Check Point Software Technologies, which is a security firm, found this malware named Gooligan in over 86 different apps. These apps are all found in the third-party app marketplaces. The biggest issue with Gooligan is that once you download it, it will a automatically begin rooting, which gives the malware access to sensitive system information. Gooligan will gain the system access, then download and install various types of software. That steals the authentication tokens. This means that the phone will then have access to all Google-related accounts and no password will have to be entered since it rooted the information through tokens.


When it comes to what accounts can be accessed and stolen without the passwords, Gooligan can affect Gmail, Google Photos, Google Play, G Suite, Google Drive, and Google Docs. Gooligan can steal information and root on devices that have both Android version 4 and Android version 5. Version 4 includes Ice Cream Sandwich, Jelly Bean, and also KitKat whereas version 5 is Lollipop. When you add in the amount of people who still are on version 4 or version 5, that ends up being about 74 percent of all Android users, which is scary when you think about how many people Gooligan can really impact.

What Check Point Software Technologies found was that once the app that was infected with Gooligan was downloaded onto the device, it installs and then will send the device data to the Command and Control server for the campaign. The apps are found both on third-party marketplaces and also can be linked through a phishing attack message. After that, Gooligan will download the rootkit from the Command and Control server, and then it will exploit well-known vulnerabilities in both Android 4 and Android 5. These vulnerabilities include VROOT and Towelroot. The security patches that were put out for these two vulnerabilities are not available for all versions of Android and not all devices, so that is why it is still able to be exploited. After the rooting happens, the attacker will then be able to execute the privilege commands and has complete control of the Android device.


Gooligan will download modules from the Command and Control server, and these inject the coding into Google Mobile Services or Google Play. This will basically allow for Gooligan to avoid being detected because it acts just like the user would. After this, Gooligan can install adware to generate money, install various apps from Google Play, and steal Google account information and then authentication tokens from those services. The malware will then leave positive reviews on Google Play on the apps that were maliciously installed.

Google responded to this situation by saying the company is working with Check Point to investigate this malware, and to help protect users. So far Google is saying that there is no evidence any account information was stolen or that people had been targeted. Google is using Verify Apps which helps scan apps individually for this malware and other malware. If the malware is detected it will alert the owner of the device and give a warning about the app being installed, and then the installation of that malware-infected app will be stopped. When you look at the data about Gooligan, 57 percent of those devices infected were in Asia and 19 percent were found in America. Only 15 percent of infections occurred in Africa and 9 percent were found in Europe.

You can go to the Check Point website in order to see the 86 apps that were infected with Gooligan so you know to stay away from them. If your Android device has been infected with Gooligan, the only way you can get rid of it is by reinstalling a clean version of Android, and this is a very long process for some people, although it really does not take that long to do. You then should change all of your passwords to your Google account and related account information. The best way to keep your Android device safe is to not download apps from third-party marketplaces and also do not click on links in messages if you are not sure where they are from.