Android malware “Goolligan” Millions of Google Accounts suspected Breached ~ SAMPATKUMARI'S Blog "PARISHKAR"

Android malware “Goolligan” Millions of Google Accounts suspected Breached



Android malware  “Goolligan” Millions of Google Accounts suspected Breached- A new android malware is reported to be revealed and named “Goolligan”. This malware is reported to have attacked more than 1000000 Android OS handsets and the number is increasing roughly by about 15000 every day. The malware roots infected devices and steals Google authentication tokens to be used to access data from various Google  websites like  Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.
Android Malware Gooligan
Android Malware Gooligan

What are Google authorization tokens?

A Google authorization token is issued by Google once a user successfully logged into his account. It is a way to access the Google account and the related services of a user.

What are the risks if Google authorization tokens are stolen by Cyber criminals  

If an authorization token is stolen by cyber criminal, it can be used freely to access all the Google services like Google Play, Gmail, Google Docs, Google Drive, and Google Photos related to that particular user. A stolen authorization token may bypass the mechanism like two-factor-authentication and allows hackers the desired access as the user is perceived as already logged in.

How did Gooligan emerge?

Last year the security team of checkpoint.com detected Gooligan’s code in the malicious SnapPea app. It was also confirmed by other security vendors. These were also associated with different malware families like Ghostpush, MonkeyTest, and Xinyinhe. The criminals creating this malware were silent till the middle of 2016. Then they reappeared with a more complex version capable of injecting malicious code into Android system processes. It simulates clicks on app advertisements provided by legitimate ad networks and forces the app to install on a device, thus helping to finance the campaign through fraudulent ad activity.

Which Android devices are affected?

Gooligan malware is particularly infects devices operating on Android 4 (Jelly Bean, KitKat) and 5 (Lollipop). A large number of these devices(About 57%) are located in Asia and only about 9% are in Europe.




There are a number of fake applications infected with this malware and if someone downloads any of these apps his device might be infected. You may check your device’s application list by going to “Settings -> Apps”. If  you find any of the applications in the list, please remove it with the help of an antivirus product.

How to know if your Google account is breached?

It is very easy, You can check whether your account is compromised or not by Simply clicking here and entering the email ID associated with your android device.


How do Android devices become infected?


A number of legitimate-looking apps on third-party Android app stores are found infected by Gooligan malcode, as these are free and an attractive alternative to Google Play and many of their apps are free, or offer free versions of paid apps, though their security is unverified. Phishing scams are also used via SMS broadcasting links via SMS or other messaging services.

How does Gooligan work?

If a user’s Android device is vulnerable and he downloads and installs a Gooligan-infected app from a third-party app stores. The app immediately starts sending data to the cyber criminals.




In the next step Gooligan downloads a rootkit and may harm many devices because security patches to fix them may have not been available for some versions of Android, or these may have been ignored by the users when offered. When this is done successfully, the attacker is in full control of the infected device remotely.

When the cyber criminals have achieved root access remotely another app is installed by Gooligan to inject code into running Google Play or GMS (Google Mobile Services).

How Gooligan harms the users


  • Steal a user’s Google email account and authentication token information
  • Install apps from Google Play and rate them to raise their reputation
  • Install adware to generate revenue
  • Ad servers, send Gooligan the names of the apps to download from Google Play and pay the criminal depending on the number of their apps downloaded.
  • The number of downloads also effects the rating of the app and thus users shouldn’t rely on ratings alone to decide to trust an app.
  • The malware also fakes identification information of the infected device, such as IMEI and IMSI, to say that the app has been downloaded multiple times while seeming like the installation is happening on multiple devices, thereby multiplying their revenue.

What to do if your account has been breached by Gooligan,

The following steps are required-Your mobile device will need a fresh installation(Also called “Flashing”) of your operating system on it. You can approach an expert or your service provider for this complex process.




Change the password of your Google account immediately after completing this process.

Which Android devices are targeted by the malware Gooligan


  • Android devices are only at risk if the owner has enabled app installations from unknown sources.
  • Even if the owner has installed a malicious app from a third-party app store still the malware Gooligan needs to be able to download an additional component and that component attempts to root the device using a pair of vulnerabilities.
  • Gooligan affect Android 4 and 5.
  • If your Android handset runs Android 6 Marshmallow or you've got a shiny, new Pixel running Nougat, you're safe even if you installs app from unknown sources.
  • A list of List of fake apps infected by Gooligan is available at the website of check point and you can view the list by clicking here  



2 comments: