New Android malware ‘Gooligan’ has breached over 1 million Google accounts


Revealed today by Check Point Research, there’s seemingly another Android malware campaign in the wild. This one goes by the name of Gooligan, and, according to Check Point, it’s already breached as many as 1 million Google accounts. And this number is still rising by 13,000 accounts on a daily basis.

There have been so many stories of Android malware attacks that they have begun to grow dull, but this one you might want to pay attention to. If you’ve installed apps from a 3rd party app store (i.e. not the Google Play Store), then you might have installed a Gooligan-infected app. That’s how this whole campaign starts, by installing malware via that app, collecting data about your phone, rooting your phone, and stealing your email accounts and authentication tokens (which gives them theoretical access to all your Google apps — like Photos, Drive, and Docs).

Scary stuff. But it gets worse. The Gooligan campaign then injects code into the Google Play Store (the one that should be the safe one, in comparison to the aforementioned 3rd-party stores) and downloads infected fraudulent apps. To monetize all these phones that have been hacked, the attackers are showing tons of ads in these fake apps, and Check Point says that as many as 30,000 of these are being downloaded daily.

As I said, so far, this has managed to breach over a million Google accounts — which Check Point says is the “largest Google account breach to date.” The majority of these breached accounts are concentrated in Asia, but as many as 28% of them are located in the Americas and Europe.  To see if you’re compromised, head to the web site that Check Point created: Thankfully, if you’re running Marshmallow or later, you’re safe.


All of this really just highlights one big problem with Android that other companies — like Apple — don’t have to deal with as much: severe software fragmentation. The latest Android distribution numbers saw Android’s latest OS version, Nougat, debut at just 0.3%. Marshmallow rose 5.3 percentage points to 24%, but Lollipop and KitKat both rose to 34.1% and 25.2%, respectively.

That problem could not be more highlighted here. As I mentioned, this malware only affects Android devices running versions of Android that are Lollipop or older. Unfortunately, as of the latest numbers, that means that a huge 75% of Android devices are running a version vulnerable to Gooligan. Most of these users aren’t actually vulnerable, however, since Google still protects phones with Verify Apps.

Check Point also notes that Google’s “Verify Apps” technology has been updated to deal with apps using vulnerabilities like this. That’s significant because, while it doesn’t help devices that are already compromised, it roadblocks future installations on 92 percent of active Android devices, even without the need for firmware updates.

Regardless, it’s a good idea to go update your phones, people. And hopefully Google starts publicly shaming OEMs that don’t even update their devices.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel



Avatar for Stephen Hall Stephen Hall

Stephen is Growth Director at 9to5. If you want to get in touch, follow me on Twitter. Or, email at stephen (at) 9to5mac (dot) com, or an encrypted email at hallstephenj (at) protonmail (dot) com.