Skip to main content

'Gooligan' Android malware used to compromise Google accounts

Android
Android (Image credit: Android Central)

Security firm Check Point has revealed a new malware campaign involving using malicious apps to root Android devices, steal Google authentication tokens and illegitimately rack up installation numbers and review scores for other apps.

The malware, dubbed "Gooligan" by Check Point, uses known vulnerabilities to get obtain root access — complete control — over devices running Android 4.x and 5.x, before using this to steal Google account names and authentication tokens. This then allowed the perpetrators to remotely install other apps from Google Play on victims' devices, and post false reviews in their name.

In theory, malware like this, which is designed to steal authentication details, may have been able to access other areas of Google accounts, like Gmail or Photos. There's no evidence that "Gooligan" did anything like this — instead, it appears it was built to make money for its creators through illegitimate app installs.

What is striking about this strain of malware is the number of accounts affected — more than one million since the campaign began, according to Check Point. The majority — 57 percent — of these accounts were compromised in Asia, according to the firm. Next were the Americas with 19 percent, Africa with 15 percent and Europe with 9 percent. Check Point has set up a site where you can check if your account is affected; Google also says it's reaching out to anyone who may have been hit.

Ahead of today's public announcement, Google and Check Point have been working together to improve Android's security.

We're appreciative of both Check Point's research and their partnership as we've worked together to understand these issues," said Adrian Ludwig, Google's director of Android security. "As part of our ongoing efforts to protect users from the Ghost Push family of malware, we've taken numerous steps to protect our users and improve the security of the Android ecosystem overall."

Check Point also notes that Google's "Verify Apps" technology has been updated to deal with apps using vulnerabilities like this. That's significant because, while it doesn't help devices that are already compromised, it roadblocks future installations on 92 percent of active Android devices, even without the need for firmware updates.

Like other app-based exploits, Google's 'Verify Apps' feature now protects 92 percent of active devices from 'Gooligan.'

"Verify Apps" is built into Google Play Services, and enabled by default in Android 4.2 Jelly Bean — accounting for 92.4 percent of active devices, based on the current numbers. (On older versions, it can be manually enabled.) Like the rest of Play Services, it's regularly updated in the background, and it blocks the installation of malicious apps, and can advise users to uninstall malware that's already there.

On newer versions of Android, the underlying exploits used by "Gooligan" to root devices will have been addressed through security patches. So as significant as a million compromised accounts sounds, this is also an example of Google's security strategy for app-based malware working as designed, blocking installations of affected apps across the vast majority of the ecosystem.

If you're concerned that your account may have been affected, you can hit up Check Point's site. In future, Google's existing safeguards — a part of Play Services for the past four years — will ensure you're protected.

Update: Google's lead engineer for Android security, Adrian Ludwig, has an extensive write-up on the background of today's "Googlian" announcement, and what Google's doing about it, over on Google+.

Alex Dobie
Alex Dobie

Alex is global Executive Editor for Android Central, and is usually found in the UK. He has been blogging since before it was called that, and currently most of his time is spent leading video for AC, which involves pointing a camera at phones and speaking words at a microphone. He would just love to hear your thoughts at alex@androidcentral.com, or on the social things at @alexdobie.

18 Comments
  • Create malware to root Android devices then steal account names and authentication tokens. What to do with that power? I know... Let's generate fake app reviews. #facepalm At least, it came out a couple of years to late to matter to me...
  • Well...we should be grateful they don't have anything "better" to do with that access, no? On another hand: this also happens thanks to the massive fragmentation the OS has. I'm glad in on marshmallow.
  • Why do I get this feeling that every time (This Security Provider Company) announces (This Strain of Android Malware,) they're just doing it to shift (This Antivirus/Security Suite) to consumers? I only say this because when I went to the "Gooligan Checker" and found that my account was NOT compromised, it conveniently showed a pop-up ad for ZoneAlarm Mobile Security, and the monthly subscription is not cheap in my country's prices... Don't get me wrong, it's an invaluable service these companies do to help make Android secure, and Google actually responding and working to secure accounts that have been compromised, but it's getting sketchier and sketchier where these strains of Malware are reported first, pop up, and do damage to accounts, and how quickly (and often) the security companies that announce they 'detected' the malware boast that THEIR antivirus/security suite will help you 'rid' of the Malware, even if Google's native solutions work just as well (unless you download from anywhere other than the GP Store, APKMirror for georestricted, alpha-and-beta versions, and original, uncompromised Google software, and the Amazon Appstore?)
  • Similar sentiment here! Although I didn't get to the point of entering my e-mail address at their website because despite their disclaimer I don't trust what they may do with it. Instead I'll check my own account activity and security directly via Google here: https://security.google.com/settings/intro/security/secureaccount
  • Two factor authentication solves a lot of these issues on its own. Though it can be a pita.
  • Apparently the malware was able to overcome 2 step authentication as well.
  • Wow. I didn't know that was even possible. Here's to security patches then...
  • If your two factor authentication is an email or text message and your app can read either one...
  • Authenticator and USB Key here :)
  • "The majority — 57 percent — of these accounts" come from places where most users download apps from outside the Google Play Store. As usual!
  • Even then Google's Verify Apps is protecting the vast majority of them against this type of malware. Apple offers no such protection for iPhone users who decide to side-load apps (usually via jailbreak) outside of their official revenue-producing App Store. Those guys are on their own. Kudos are due Google for at least attempting to shield those who intentionally bypass default security settings in order to grab apps from sometimes questionable 3rd party sites.
  • I think Apple has the better model -- tell's everyone they are on their own if they side load. Google in their defense pretty much can't operate in the same fashion as they Google's claim to fame as always been open systems and do what you want with it.
  • I have no use for non play store apps. Besides the Amazon app itself I'm over taking that kind of risk like I used to as a teen with all the time in the world to play with root.
  • What is being done to the app devs, who benefited from these "fake reviews"? Surely they had some stake in this.
  • And this is where I say thank you again to both Samsung and AT&T for providing my phone with the November security patch. There is a sea of also ran Android handsets running older OS versions that never see security updates but are purchased because they are cheap. Not at all surprised when I see this sort of story.
  • I believe I saw in another article pertaining to this Malware that one can only be infected by side loading apps. Is this the case??? I'm not worried myself as I only install apps from the Playstore plus I am on Marshmallow.
  • In order to begin the infection the malware needs the target to let them "in". This is often, but not always, done by sending an email with or without an attachment that has a link. Yes, there are many very intelligent people out there that still click on links without verifying where the link actually takes you. It's really difficult to infect a device without the [unwitting] cooperation from the target. The only other way to get root access would be to let someone have physical access to your device. It's not rocket surgery....but it can have consequences.
  • Yes, just read the forums re ppl blindly downloading apps then wondering why they have malware.... Seriously :-o