Skip Ribbon Commands
Skip to main content

‘Gooligan’ - The Latest Malware to Torment Cyber World


​Are you aware of what apps your employees are downloading on their work devices? Have you installed malware protection on your mobile devices? This is not a new phenomenon and malware laden apps have made it through third party app sites and even the official Google Play Store.

There is a common misconception that cellphones cannot be compromised. It is very important to protect all of your devices and exercise caution when navigating the internet and apps. This piece of malware has made a grand entrance on Android devices and is currently affecting hundreds of thousands of Android users.

Google, together with Check Point, has announced that a new form of malware called ‘Gooligan’ is actively targeting over one million android users. This malware is embedded in dozens of legitimate looking apps on third party app stores.

How does Gooligan work?

Once the user downloads and installs a Gooligan infected app, the infection begins. A rootkit is then downloaded, and if the rootkit is successful, attackers will gain full control of the device and can execute privileged commands remotely. The malware roots infect devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.

The malicious malware will then:

  • Steal a user’s Google email account and authentication token information
  • Install apps from Google Play and rate them to raise their reputation
  • Install adware to generate revenue

Ad servers are unable to distinguish if an app using its service is malicious or not, and will send Gooligan the names of the apps to download from Google Play. After an app is installed, the ad service pays the attacker.

Who could be at risk?

Gooligan currently affects devices on Android 4 and 5 (Jelly Bean, KitKat, Lollipop). Seventy-four per cent  of Android devices in use today are infected, with an average of 13,000 new infections every day.

Google has stated that they are taking numerous steps to protect their users and improve the security of the Android ecosystem. They are also notifying effected accounts, revoking effected tokens and deploying SafetyNet improvements to protect users from these apps in the future.

For more information please review Check Point’s Research on ‘Gooligan’ or contact Eugene Ng, BComm, CISSP, at 647.202.6241 or [email protected]