Home Security Gooligan a hooligan stealing Google Accounts

Gooligan a hooligan stealing Google Accounts

New malware called Gooligan has breached more than one million Google Accounts and that number increases every day.

Check Point says the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.

It comes from downloading legitimate but infected apps from third-party app stores – there is no evidence that these are in Google Play. Third-party app stores are popular because many of their apps are free, or offer so-called “cracked” free versions of paid apps. Gooligan-infected apps can also be installed if one is caught up in a phishing scams where attackers broadcast links to infected apps to unsuspecting users via SMS or other messaging services.

Check Point says Gooligan has breached over a million Google accounts. It believes that it is the largest Google account breach to date, and is working with Google to continue the investigation. It urges Android users to validate whether their accounts have been breached.

What it does

Full details are on the Check Point blog. However, it seems to be limiited to older versions 4 and 5 of Android.

After achieving root access, Gooligan downloads a new, malicious module from the command anc control server and installs it on the infected device. This module injects code into running Google Play or GMS (Google Mobile Services) to mimic user behaviour so Gooligan can avoid detection, a technique first seen with the mobile malware HummingBad. The module allows Gooligan to:

  • Steal a user’s Google email account and authentication token information;
  • Install apps from Google Play and rate them to raise their reputation; and
  • Install adware to generate revenue.

Check Point Goolioogan

How can you check?

You can check if your account is compromised by accessing the Check Point testing website.

If your account has been breached, the following steps are required:

  • A clean installation of an operating system on a mobile device is required (a process called “flashing”). As this is a complex process, it is recommended to power off the device and approach a certified technician, or mobile service provider, to request that the device is “re-flashed.”
  • Change Google account passwords immediately after this process.


Did you know: 1 in 10 mobile services in Australia use an MVNO, as more consumers are turning away from the big 3 providers?

The Australian mobile landscape is changing, and you can take advantage of it.

Any business can grow its brand (and revenue) by adding mobile services to their product range.

From telcos to supermarkets, see who’s found success and learn how they did it in the free report ‘Rise of the MVNOs’.

This free report shows you how to become a successful MVNO:

· Track recent MVNO market trends
· See who’s found success with mobile
· Find out the secret to how they did it
· Learn how to launch your own MVNO service


Ray Shaw

joomla stats

Ray Shaw ray@im.com.au  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!