Gooligan hits million Google accounts on Android devices


3 December 2016

A major Google security breach caused by "Gooligan" breaches more than one million Google accounts and infects at the rate of 13,000 devices per day, reveals network security vendor Check Point Software. 

Gooligan, a new variant of Android malware, roots Android devices and steals email addresses and authentication tokens stored on them. 

With this information, according to Check Point's security researchers, attackers can access users' sensitive data from Gmail, Google Photos, Google Docs, Google Play, Google Drive and G Suite, putting personal privacy and security, as well as business information, at critical risk.

This theft of over a million Google account details is very alarming and represents the next stage of cyber-attacks, said Michael Shaulov, Check Point's head of mobile products.

"We are seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them."

Check Point said its Mobile Research Team first encountered Gooligan's code in the malicious SnapPea app in 2015. The malware reappeared in August this year with a new variant and has since infected at least 13,000 devices per day.

According to the company's researchers, about 40 per cent of these infected devices are located in Asia and about 12 per cent are in Europe.

Hundreds of the exposed email addresses are associated with enterprises around the world, said Check Point. The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device, or by clicking on malicious links in phishing attack messages.

Google and Check Point have been working together to minimise the threats by Gooligan.

"As part of our ongoing efforts to protect users from the Ghost Push family of malware, we've taken numerous steps to protect our users and improve the security of the Android ecosystem overall," said Adrian Ludwig, director of Android security, Google.

Meanwhile, Check Point is offering a free online tool ( that allows users to check if their account has been breached.

"If your account has been breached, a clean installation of an operating system on your mobile device is required. This complex process is called flashing, and we recommend powering off your device, and approaching a certified technician or your mobile service provider, to re-flash your device," added Check Point's Shaulov.

Check Point researchers' key findings of the Gooligan malware include:

* Campaign infects 13,000 devices each day and is the first to root over a million devices.

* Hundreds of the email addresses are associated with enterprise accounts worldwide.

* Gooligan targets devices on Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which represent nearly 74 per cent of Android devices in use today.

* After attackers gain control over the device, they generate revenue by fraudulently installing apps from Google Play and rating them on behalf of the victim.

* Every day Gooligan installs at least 30,000 apps on breached devices, or over two million apps since the campaign began.