Skip to Main Content

Gooligan steals more than 1m Google accounts

You may have read or heard about an Android malware attack campaign named Gooligan.

What is Gooligan about?

The main purpose of Gooligan is to steal Google accounts from devices with Android 4 (Jelly Bean, KitKat) and 5 (Lollipop). Later these accounts are used to promote, rate, and download apps from the Google Play Store – making it a huge advertising fraud scheme. Gooligan roots infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.

That vulnerabilities are used for exploiting a mobile device and putting malicious programs on it, it isn’t something special. It’s a very popular method to compromise a system. And that’s the reason why protecting and updating your system is so important in our digital life. — Mikel Echevarria Lizarraga, Malware Analyst at the Virus Lab at Avira.

According to Checkpoint there are more than 80 malicious Gooligan apps. These apps have stolen more than 1 million Google accounts – and the number is increasing by 13,000 accounts per day!

Google’s director for Android security already published a statement on Google+:

Several Ghost Push variants use publicly known vulnerabilities that are unpatched on older devices to gain privileges that allow them to install applications without user consent. In the last few weeks, we’ve worked closely with Check Point, a cyber security company, to investigate and protect users from one of these variants. Nicknamed ‘Gooligan’, this variant used Google credentials on older versions of Android to generate fraudulent installs of other apps. — Adrian Ludwig, Google’s director of Android Security

Where do these apps come from?

The apps are found in 3rd parties stores, a fact that many may see as a relief. But it’s not! Users can be redirected to these apps while browsing the net and then be asked to install them – and a lot of them do.

Checkpoint states that 57% of the infected devices were detected in Asia. We recommend you to not relax or get comfortable nonetheless because this doesn’t mean that just Asia is being affected by “untrusted” download stores. Untrusted download stores are everywhere, they’re a dime a dozen on the internet. So if you are using other stores beside Google Play you will increase your risk for being affected – no matter if you’re in Asia or not.

We have your back!

Avira free Antivirus for Android has already been protecting you against this threat for several months. Download the app on Google’s Play Store for free!

We also recommend to check the configuration of your Android device, inside the settings > security menu. The options “Unknown sources” and “Verify apps” should be enabled by default. This will avoid the accidental installation of these malware applications.

Hey, I'm Istvan and the Social Media Manager @Avira. Find all of my blog articles here and I hope you enjoy & share them. Stay up-to-date and connect with Avira on Twitter, Facebook, Instagram, and YouTube. Follow this blog with Bloglovin.