Gooligan Malware Infection compromises 1,300,000 Google Accounts

A new type of Android malware, known as ‘Gooligan’ has been discovered by the Israeli based company CheckPoint which specialises in cybersecurity. According to initial reports it is already spreading at a rate which has alarmed experts. A cyber attacker can potentially gain access to Google accounts and the data stored in Gmail, Google Drive, Google Photos, Google Play, G Suite and the Google Docs stored on a device by virtue of a Gooligan malware infection.
It is believed that over 1,300,000 Google accounts may have already been jeopardised as a direct consequence of Gooligan malware infection. It is estimated that approximately thirteen thousand new devices are being compromised daily. Checkpoint researchers have indicated that breach is the largest ever to effect Google accounts.
The spread of Gooligan malware is effected by malicious applications that are downloaded from numerous 3rd-party app stores. The apps appear to be legitimate, however a download will cause a Gooligan malware infection. Checkpoint has already confirmed eighty-six malicious apps which spread the malware.
The most recent versions of the Android platform are protected attack, however the owners of devices which run Lollipop and earlier versions of the Android platform are at risk of infection.
The malware has the ability to root infected devices which allows attackers to gain control of phones which have been infected. The malware permits attackers to fraudulently obtain Google authentication tokens which allows them to access the full range of Google services, however at this point the attackers are usually concentrating on generating money via advertising fraud.
The Gooligan malware clicks on adverts and downloads applications to the device which it has infected. Checkpoint estimates than over 30,000 applications are downloaded every day and at least 2,000,000 have been downloaded since the release of the malware.
According to Checkpoint the distributor of Gooligan is probably a Chinese company that operates on a “very strict business model.” Although Google accounts could be accessed and data stolen, it is not believed that those capabilities are actually being exploited. Checkpoint suspects that the company is following the business model similar to that which has been used by the distributors of another form of malware known as “HumminBad”. HumminBad malware has previously been linked with a criminal element in the Chinese tech firm Yingmob.
Gooligan is an advanced form of the earlier Android malware Ghost Push. The Director of Googles’s Android Security, Adrian Ludwig, recently stated that “The motivation behind Ghost Push is to promote apps, not steal information, and that held true for this variant.” It should be noted, however, that Gooligan malware is particularly dangerous given its wide range of capabilities.
Checking your Android for Gooligan Malware Infection
An online tool  which allows Android users to verify if their Google account has been breached and their device compromised has now been launched by Checkpoint.
In order to avoid infection, applications should never be downloaded from 3rd party app stores, as these sources regularly fail to verify apps before permitting users to download them.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Emma Taylor

Emma Taylor is the contributing editor of Defensorum. Emma started on Defensorum as a news writer in 2017 and was promoted to editor in 2022. Emma has written and edited several hundred articles related to IT security and has developed a deep understanding of the sector. You can follow Emma on and contact Emma at