Home Security Gooligan a hooligan stealing Google Accounts

New malware called Gooligan has breached more than one million Google Accounts and that number increases every day.

Check Point says the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.

It comes from downloading legitimate but infected apps from third-party app stores – there is no evidence that these are in Google Play. Third-party app stores are popular because many of their apps are free, or offer so-called “cracked” free versions of paid apps. Gooligan-infected apps can also be installed if one is caught up in a phishing scams where attackers broadcast links to infected apps to unsuspecting users via SMS or other messaging services.

Check Point says Gooligan has breached over a million Google accounts. It believes that it is the largest Google account breach to date, and is working with Google to continue the investigation. It urges Android users to validate whether their accounts have been breached.

What it does

Full details are on the Check Point blog. However, it seems to be limiited to older versions 4 and 5 of Android.

After achieving root access, Gooligan downloads a new, malicious module from the command anc control server and installs it on the infected device. This module injects code into running Google Play or GMS (Google Mobile Services) to mimic user behaviour so Gooligan can avoid detection, a technique first seen with the mobile malware HummingBad. The module allows Gooligan to:

  • Steal a user’s Google email account and authentication token information;
  • Install apps from Google Play and rate them to raise their reputation; and
  • Install adware to generate revenue.

Check Point Goolioogan

How can you check?

You can check if your account is compromised by accessing the Check Point testing website.

If your account has been breached, the following steps are required:

  • A clean installation of an operating system on a mobile device is required (a process called “flashing”). As this is a complex process, it is recommended to power off the device and approach a certified technician, or mobile service provider, to request that the device is “re-flashed.”
  • Change Google account passwords immediately after this process.


Did you know: Key business communication services may not work on the NBN?

Would your office survive without a phone, fax or email?

Avoid disruption and despair for your business.

Learn the NBN tricks and traps with your FREE 10-page NBN Business Survival Guide

The NBN Business Survival Guide answers your key questions:

· When can I get NBN?
· Will my business phones work?
· Will fax & EFTPOS be affected?
· How much will NBN cost?
· When should I start preparing?


Ray Shaw

joomla stats

Ray Shaw ray@im.com.au  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!






Join the iTWire Community and be part of the latest news, invites to exclusive events, whitepapers and educational materials and oppertunities.
Why do I want to receive this daily update?
  • The latest features from iTWire
  • Free whitepaper downloads
  • Industry opportunities