More than 1 Million Google accounts hacked by Gooligan Android Malware

Pierluigi Paganini December 01, 2016

Experts from the security firm CheckPoint discovered a new Android malware dubbed Gooligan that has already compromised more than a million Google Accounts.

Another malware, dubbed Gooligan, is threatening Android users. The Android malware has already compromised more than 1 Million Google accounts.
The Gooligan Android malware roots vulnerable Android devices in the attempt of stealing email addresses and authentication tokens stored on them.

The stolen information are used by crooks to hijack victims’ Google account and access sensitive data from Google apps including Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite.

“The attack campaign, named Gooligan, breached the security of over one million Google accounts. The number continues to rise at an additional 13,000 breached devices each day.reported CheckPoint.

“Our research exposes how the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.”

Experts from the security firm CheckPoint have discovered dozens of legitimate-looking Android apps containing the Gooligan malware. These mobile apps were available for the download on third-party stores, but experts also highlighted that the malware could be downloaded users directly by tapping malicious links embedded in malicious messages.


Once the malware is installed it start sending device information and stolen data to the C&C server.

Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153),” added the researcher.

“These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.”

Experts from CheckPoint security confirmed that older versions of the Android operating system are affected by the issue, including Android 4.x (Jelly Bean, KitKat) and 5.x, (Lollipop) (roughly 74% of Android devices currently in use).


The crooks could rapidly monetize their efforts because Gooligan generates revenues by fraudulently buying and installing apps from the official Google Play Store and rating them and writing reviews on behalf of the phone’s owner. The malicious code also installs adware on the victims’ mobile devices.

If you fear being one of the victims of the Gooligan malware be free to use an online tool published by Check Point, the Gooligan Checker,  that allows users to check if the Android device has been infected. It is very simple, just open the ‘Gooligan Checker’ and enter your Google email address.

If your device is infected you need to Re-Flash your device running a clean installation of Android OS.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Gooligan Android Malware, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment