A Google malware called Gooligan may have compromised more than 1 million Google accounts


You have a reason to worry if you have a Google account on which lots of your important stuff depends. There was a time when having a Google account meant having a Gmail account.

These days, many aspects of your life depend on your Google account. All the apps that you install on your Android smartphone or tablet need you to be logged into your Google account. Google Docs, Google Drive, Google Photos and practically everything that Google offers needs your Google account. If you are using your Google account to log into other web services and mobile apps, even for that you need an active Google account. So, if your Google account is compromised, lots of things are compromised.

There is a Google malware called Gooligan (quite aptly named) and as reported by this Check Point blog post, it has affected more than 1 million Google account. The problem doesn’t stop here: it is breaching 13,000 Google accounts everyday. There are 86 apps available on third party Android app marketplaces that can easily breach and root 75% of Android phones.

This infographic explains how the Gooligan malware affects your mobile device running on Android:


As you will notice, the good thing is that malware attacks don’t happen unless you are careless about what you are installing on your mobile phone. Although popular, legitimate apps can also be affected, malware attacks your device only when you install apps from unverified sources. If you can help it, in case you are using an Android device, stick to the Google Play Store because almost all the apps go through some sort of testing before they are approved to be downloaded and installed.

This is how the Gooligan malware may help an attacker get access to your mobile phone:

  1. You install an infected app or the malware downloads itself through a phishing campaign.
  2. The Gooligan malware starts collecting data and also starts downloading the needed root kits.
  3. Then it roots your mobile phone or tablet (rooting gives access to the core files, that is, complete control over your device).
  4. Steals your email account and other authentication tokens. The malware can now access Google Play, Google Drive, Google Docs, Gmail, G Suite and Google Photos.
  5. Injects code into Google Play so that fraudulent apps can be downloaded.

Worried about your Google account might be compromised due to the Gooligan malware? This link on Check Point allows you to enter your email and find out whether your account is compromised or not. This Google Support page tells you how to keep your mobile phones and tablets safe from attacks like the Gooligan malware.

The Gooligan malware is developed on the lines of the notorious Ghost Push malware that can take over your mobile phone once your device is compromised. In a recent blog post Google says that it is closely working with the Check Point team to ensure that the malware can be contained in time. The post says:

As always, we take these investigations very seriously and we wanted to share details about our findings and the actions we’ve taken so far.


No evidence of user data access: In addition to rolling back the application installs created by Ghost Push, we used automated tools to look for signs of other fraudulent activity within the affected Google accounts. None were found. The motivation behind Ghost Push is to promote apps, not steal information, and that held true for this variant.
No evidence of targeting: We used automated tools to evaluate whether specific users or groups of users were targeted. We found no evidence of targeting of specific users or enterprises, and less than 0.1% of affected accounts were GSuite customers. Ghost Push is opportunistically installing apps on older devices.
Device integrity-checks can help: We’ve taken multiple steps to protect devices and user accounts, and to disrupt the behavior of the malware as well. Verified Boot [https://source.android.com/security/verifiedboot/], which is enabled on newer devices including those that are compatible with Android 6.0, prevents modification of the system partition. Adopted from ChromeOS, Verified Boot makes it easy to remove Ghost Push.
Device updates can help: Because Ghost Push only uses publicly known vulnerabilities, devices with up-to-date security patches have not been affected. Also, if a system image is available (such as those we provide for Nexus and Pixel devices[https://developers.google.com/android/images]) a reinstall of the system software can completely remove the malware.


Strengthening Android ecosystem security: We’ve deployed Verify Apps [https://goo.gl/9rqdiH] improvements to protect users from these apps in the future. Even if a user tries to install an offending app from outside of Play, Verify Apps has been updated to notify them and stop these installations.
Removing apps from Play: We’ve removed apps associated with the Ghost Push family from Google Play. We also removed apps that benefited from installs delivered by Ghost Push to reduce the incentive for this type of abuse in the future. Downloading apps from Google Play, rather than from unknown sources [https://goo.gl/9rqdiH], is a good practice and will help reduce the threat of installing one of these malicious apps in the future.
Protecting Google Accounts: We revoked affected users’ Google Account tokens and provided simple instructions so they can sign back in securely. We have already contacted all users that we know are affected.
Teaming-up with Internet service providers: We are working with the Shadowserver Foundation and multiple major ISPs that provided infrastructure used to host and control the malware. Taking down this infrastructure has disrupted the existing malware, and will slow the future efforts.


We’ve taken many actions to protect our users and improve the security of the Android ecosystem overall. These include: revoking affected users’ Google Account tokens, providing them with clear instructions to sign back in securely, removing apps related to this issue from affected devices, deploying enduring Verify Apps improvements to protect users from these apps in the future and collaborating with ISPs to eliminate this malware altogether.

This was a team effort within Google, across the Android security, Google Accounts, and the Counter-Abuse Technology teams. It also required close coordination with research firms, OEMs, and hosting companies. We want to thank those teams for their assistance and commitment during our ongoing efforts to fight Ghost Push and keep users safe.

Again, the best way to save your device from malware attacks like Gooligan is not to install apps from random sources and not to click on links you do not trust or recognize.

About Amrit Hallan
Amrit Hallan is the founder of TechBakBak.com. He writes about technology not because "he loves to write about technology", he actually believes that it makes the world a better place. On Twitter you can follow him at @amrithallan

Be the first to comment

Leave a Reply

Your email address will not be published.