Gooligan Malware Compromises More than a Million Google Accounts on Android

Gooligan Malware Compromises More than a Million Google Accounts on Android

Security is an important aspect of Android. Due to the sheer number and variety of devices, making an OS flexible enough to run on all hardware choices and fulfill varied customer needs, while still maintaining bullet-proof security, is a very difficult task.

While Google is hard at work enhancing the overall security of Android, new vulnerabilities and exploits keep popping up and slipping under the radar. Not to mention, the very task of distributing security updates is left to the whims of the OEM, and outside of the major OEMs and major flagships, very few devices ever receive a security-focused update.

The newest bad fish in the pond was discovered by security researchers at Check Point. Nicknamed “Gooligan”, this malware attack campaign is part of the Ghost Push family of malware. Malware under this label is often downloaded through external and untrusted sources, and the apps so installed are then used to install other apps on the host device. Gooligan particularly used the Google credentials on older versions of Android to generate fraudulent installs of other apps.

gooligan_1Check Point mentions that Gooligan has so far breached and compromised over one million Google accounts, with the number also steadily rising at an additional 13,000 breached devices every passing day. Gooligan installs over 30,000 apps daily on breached devices, and over 2 Million installs have been accumulated since the campaign began. Gooligan “potentially” affects devices on Android 4.x and Android 5.x, which is bad news as combined, these versions have arond 74% of market share currently.

Interestingly, 57% of the infected devices are located in Asia, which is not surprising keeping in mind the attitude towards piracy among the general consumers in this region. North and South America follow along at a combined 19%, the African continent makes up 15% and Europe contributes at 9%. Australia, very interestingly, was not mentioned at all.

How does Gooligan work?

Check Point mentions in more detail how the malware works, so we recommend checking out their blog post.

Gooligan starts off with a legitimate-looking infected app that gets downloaded via third-party app stores or sideloaded by mistakenly clicking on malicious links in phishing attack messages. Once the infected app is installed, it sends data about the device to the main Command and Control server of the malware campaign. After device information is obtained, Gooligan downloads rootkits that are applicable to the particular Android version, such as Towelroot or VROOT. If root access is successfully obtained, Gooligan then has full control of the device, including the ability to remotely execute privileged commands.


Gooligan then goes on to download and install a new malicious module from its main server. The modules purpose is to inject code into Google Play or Google Mobile Services to mimic user behavior to avoid detection. Further, the module allows Gooligan to steal the user’s Google account and authentication token, install apps from the Play Store and rate them without consent, and install adware to generate revenue. Money is generated for the attacker when the ad network server innocently credits them for successful app referral installs. For good measure, Gooligan also leaves a high rating on the Play Store.

How do you know if you were infected?

Check Point has a good list of apps that they have identified as being infected with this malware. So if you have any of the apps mentioned in the list installed on your device, there is a good chance your account was compromised. The compromise extends over to enterprise accounts as well, so it will not hurt to double check.

If you do doubt that you may be infected and compromised, you can enter in your email on a website created by Check Point for the same purpose. Google’s Director of Android Security, Adrian Ludwig, points to Check Point’s blog in his Google+ post, as Check Point has been working closely with Google to understand the issue. Edit: We have been informed that the checking mechanism is a farce as it returns a negative on the breach irrespective of the fact that you entered a legitimate email id.

If your account is compromised, you would need to undertake a complete wipe and clean installation of the OS on your device to remove all traces of Gooligan and related module code. Then, you need to change your Google account passwords immediately after the process.

If your account is not compromised, you can undertake certain precautions to avoid getting infected. Common sense dictates that one should avoid shady websites and apps, particularly those relating to illegal distribution of content. Piracy portals, whether they be in the form of black market app stores or illegal media (songs, movies etc) re-hosters, are one of the easiest ways to phish users into installing infected apps, so staying away from them is a good idea.


On a different note and for added precaution, if you are a rooted user, do pay attention to the apps installed on your device through periodic checks and make sure to grant root access only to the applications you trust. If you have a choice in running newer versions of your OS with newer security version, please exercise such option.

What has Google done so far to combat Gooligan?

Adrian Ludwig mentioned key details on Gooligan and Ghost Push on his Google+ post. Gooligan and Ghost Push were made with the primary intention to fraudulently market apps and make money through referrals, so Google has not found any evidence of user data access, even though that gate was open. There was no targeting of specific user groups or enterprises either, as the malware aimed to install itself on older devices opportunistically. Further, as Ghost Push malware family makes use of publicly known vulnerabilities, newer devices with up-to-date security patches are not affected as these vulnerabilities have been subsequently patched.

To protect users from infection, Google has deployed improvements to the “Verify Apps” functionality to warn users from installing any of the apps from the infected list, even if the source is outside the Play Store. The offending apps have been removed from the Play Store, which is an obvious course of action. Along with those, Google has also removed the apps that benefited from Ghost Push installs to further reduce the incentive of such abuse in the future. They have also revoked Google Account tokens of affected users and provided them with instructions on how to sign in securely. Going one step beyond, Google is also working with organizations that provided the infrastructure used to host and control the malware, in an effort to take down the main control servers to disrupt the existing malware ad slow down future efforts.

The emergence of Gooligan among other kinds of malware and exploits show that Android still has a long way to go in terms of security. Fragmentation is often at the core of the issue here, as a lot of these exploits are patched up in newer Android releases, but unfortunately, will never be deployed across many existing devices. A very large part of the blame here lies on the lack of after-sales service and OEM apathy, and such scenarios are very much unlikely to change anytime soon, especially in the entry-level smartphone market. Malware like these makes one appreciate what BlackBerry is doing with its security-focused Android fork.

What are your thoughts on Gooligan and Android’s current state of security? Let us know in the comments below!

About author

Aamir Siddiqui
Aamir Siddiqui

I am a tech journalist with XDA since 2015, while being a qualified business-litigation lawyer with experience in the field. A low-end smartphone purchase in 2011 brought me to the forums, and it's been a journey filled with custom ROMs ever since. When not fully dipped in smartphone news, I love traveling to places just to capture pictures of the sun setting. You can reach out to me at [email protected]