TR Member Perks!

Security firm Check Point Software Technologies has found malware that has breached more than One Million Google Accounts. They’ve named this malware campaign “Gooligan”, and claim it is breaching a further 13,000 devices every day. Gooligan is a new variant of malware known as “Ghost Push”.

The exploit works through infected apps installed via the Google Play Store. Once installed, the app roots the device, installs further software, and records the email account, login information, then installs adware. It uses two known flaws, known as VROOT and Towelroot to gain root access.

After achieving root access, Gooligan downloads a new, malicious module from the C&C server and installs it on the infected device. This module injects code into running Google Play or GMS (Google Mobile Services) to mimic user behavior so Gooligan can avoid detection, a technique first seen with the mobile malware HummingBad. The module allows Gooligan to:

– Steal a user’s Google email account and authentication token information
– Install apps from Google Play and rate them to raise their reputation
– Install adware to generate revenue


Photo Credit: Check Point Software Technologies, LTD

Photo Credit: Check Point Software Technologies, LTD

These vulnerabilities affect all devices running Android 4.x (Ice Cream Sandwich) through 5.x (Lollipop). With current Android usage share, this accounts for 74.3% of all active Android devices. Because it directly steals the authentication token, two-factor authentication does not protect against Gooligan. If infected, Checkpoint recommends a complete wipe of the device and an immediate password change.

Adrian Ludwig, Google’s Director of Android Security, has published a statement on Google+ regarding Gooligan. While it can steal personal information, Ludwig says there is “no evidence” of it directly accessing user data, noting “The motivation behind Ghost Push is to promote apps, not steal information, and that held true for this variant.” Ludwig also said that affected users that have been found have had their authentication tokens revoked, with instructions on how to proceed.

Checkpoint’s announcement contains a list of known infected apps. They have also set up a page to check if an account has been compromised. While it is not protection against Gooligan, enabling two-factor authentication is also recommended as a general security practice.


John Quilty

Staff Writer

I've been a lover of video games, writing, and technology for as long as I remember. I have a B.A. in English from the University of Illinois at Urbana-Champaign and I'm happy to write about gaming and technology for TechRaptor.


    As someone that never uses smart devices, I’m uncertain as to the scale and impact of what this news means. The few times I’ve been forced to use either the apple store or the google play store on a work device I’ve found the experience slow, awful, and cluttered. And that is even when I know the name of the app I need to install.

  • Reptile

    The article says “infected apps installed via Play Store” but the picture says “3rd party app stores” (Non-play store). Which one is right?

    If the infected apps are distributed through Play Store then it is a serious fault in Google’s process of app authorization. If the second, well, don’t install shit from where you don’t know or trust.

  • Demon John

    Weird, somehow a comment from 2010 found its way onto this page.