Skip to main content

‘Gooligan’ Android malware affects more than 1 million Google accounts

history of malware android
Image used with permission by copyright holder
Android smartphone manufacturers aren’t the best at updating smartphones to the latest software from Google — that means older devices are more susceptible to attacks thanks to public vulnerabilities that haven’t been patched. Chances are your Android phone is running an older version and unfortunately, there is a malware campaign affecting more than 1 million Google accounts.

Security firm Check Point released information about malware dubbed “Gooligan,” which can steal your Gmail account and authentication information, install apps from Google Play, rate them without your consent, and install adware. The latter two is used to improve app store ratings and “generate revenue.”

Recommended Videos

The malware only infects devices when a user downloads and installs a “Gooligan-infected app” on a vulnerable Android device via a third-party app store or from malicious links — you’re fine if you only download from the Google Play Store and are using a newer Android device running Android 6.0 or higher.

Please enable Javascript to view this content

“After an infected app is installed, it sends data about the device to the campaign’s Command and Control (C&C) server,” the research team writes in a blog post. “Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits … These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.”

Unfortunately, nearly 74 percent Android devices run Android 4.2 Jellybean, Android 4.4 KitKat, and Android 5.0 Lollipop.

Adrian Ludwig, director of Android security at Google, said his team has been tracking a family of malware called “Ghost Push” since 2014. Ghost Push is a collection of potentially harmful apps (PHAs) that are the “most often downloaded outside of Google Play.”

“After they are installed, Ghost Push apps try to download other apps. For over two years, we’ve used Verify Apps to notify users before they install one of these PHAs and let them know if they’ve been affected by this family of malware.”

Verify Apps is an Android feature that scans devices for security threats and Google said it found more than 40,000 apps associated with the malware in 2015. Now, the company says Android detects and prevents installations of more than 150,000 variants of Ghost Push. Gooligan is one such variant of Ghost Push and Ludwig said his team has “worked closely” with Check Point to protect users.

As the motivation for Ghost Push apps is to promote apps and generate revenue, Ludwig says Google has found no evidence that user data has been accessed. There is also no evidence that a specific group of users or businesses were targeted. Google says it has improved the Verify Apps feature to protect users from these apps in the future — even if you try to install an infected app, your device will notify you and stop the installation. The search giant is also continually removing apps associated with the Ghost Push family on Google Play, as well as apps that have “benefitted from installs delivered by Ghost Push to reduce the incentive for this type of abuse.”

Google urges users to download apps from the Google Play Store so as to reduce the threat of installing a malicious app. For those accounts that have been compromised, Google has contacted users and revoked authentication tokens so that they can securely sign back in.

If you’re worried your account may be compromised, Check Point has a handy tool that lets you check. Just type in your email and hit “check” and the website will tell you if your account is safe or not.

Julian Chokkattu
Former Digital Trends Contributor
Julian is the mobile and wearables editor at Digital Trends, covering smartphones, fitness trackers, smartwatches, and more…
Google proposes big changes for the future of Search and Android apps
Google Chrome on an Android phone.

Google’s ongoing antitrust tussle spawned a list of sweeping policy suggestions — including a proposed sale of the Chrome business — by the Department of Justice. The focus of the lawsuit centers on the Search monopoly, but it has serious ramifications for Android and the overall browser situation.

Now, Google has shared its own “remedies proposal” to the DOJ’s recommendations, which it claims are going “far beyond what the Court’s decision is actually about.”

Read more
Android 16 adds a new way to use the Google Pixel 9’s fingerprint sensor
Pixel 9 Pro in Rose Quartz.

Biometric security — the ability to unlock your phone with your fingerprint or face — is an amazing feature, but you often have to turn on the phone's screen before you can use it. That's because many fingerprint sensors are optical and need light in order to work. Fortunately, Android 16 will make it so that you can open your Pixel 9 without turning your phone screen on at all (while also avoiding the groan that comes from searing your eyes.)

The feature was noted in the Android 16 Developer Preview 2, or DP2, by 9to5Google. The findings imply that this only applies to the Google Pixel 9 series because while it does appear in the Settings search on the Pixel 8 Pro, there's no option to enable it. This is likely due to the Pixel 9's ultrasonic fingerprint scanner; the improved hardware doesn't require light to use it.

Read more
Here’s how Android 16 could make managing notifications easier than ever
Moto G Play (2023) notifications

Are you tired of the constant stream of notifications on your Android phone? Google may have a solution in development as part of its Android 16 update.

Recently, Android Authority discovered a hidden page in the latest Android 15 beta, located under Settings > Notifications, that references Bundled Notifications. This suggests a stable version of Android 15 QPR2 or the upcoming Android 16 release could introduce a new feature similar to Gmail's notification grouping. This would allow similar notifications to be organized into bundles rather than displaying a long, overwhelming list of individual alerts.

Read more