‘Gooligan’ malware roots older Android phones

Android security researchers say the malware aims to install apps, not steal information.

More than a million Google accounts have been taken over by a cybercrime gang using malicious software hidden in harmless-looking mobile apps — and they’re infecting more than 13,000 additional Android phones every day, according to researchers.

The malware, dubbed “Gooligan” by Israeli cybersecurity company Check Point Software Technologies Ltd., uses old vulnerabilities that are still potent because so many phones in the Android ecosystem are not running the latest version of the operating system. The vulnerabilities allow the malware to get root access — burrowing down to the deepest level of the operating system, and meaning infected phones have to be wiped and reinstalled.

Android versions prior to 6.0 (Marshmallow) might be vulnerable, says the Check Point blog post, noting that this is about three-quarters of all the 1.03 billion phones using the OS. The company says the gang is monetizing the malware by forcing infected phones to download apps through an ad page — meaning the hackers get paid. Researchers said they are working with Android to come up with a fix.

Of the million-plus phones already infected, more than half (57 percent) are in Asia and about 9 percent are in Europe. Fewer than one-in-five (19 percent) are in the Americas. Gooligan has been found in dozens of apps available on third-party stores, Check Point says. Google says it monitors its own Google Play app store to block malicious apps.


Check point gooligan graffick

Geographic breakdown of Google accounts breached via Gooligan malware (Source: Check Point Software Technologies Ltd.)

Gooligan is the latest variant of a malware family first identified in 2014 that Android calls “Ghost Push” and defines as a “hostile downloader” kind of Potentially Harmful App or PHA.

The malware, once installed, can steal the authentication tokens that Google employs to let its users get Gmail on their Android phone without having to log in every time. The tokens will even let the hackers into the email account if two-factor authentication is switched on, because the token is what Google’s servers use to recognize the phone as a trusted device.

Taking over the Gmail account of the victim allows the hackers to force the download on the phone — and the malware then submits a favorable review for the app.


Check Point researchers found a list of 1.3 million compromised accounts on a server that was part of the command and control infrastructure for the gang, according to Michael Shaulov, the company’s head of mobile and cloud security. He said the infected phones were downloading as many as 30,000 apps every day, reaching a total of more than two million downloads so far.

While not downplaying the seriousness of the issue, Android security chief Adrian Ludwig noted in a blog post that there was no evidence that specific individuals or accounts were being targeted; and that the hackers seemed uninterested in the contents of their victims’ inboxes.

“The motivation behind Ghost Push is to promote apps, not steal information, and that held true for this variant,” he wrote, “Ghost Push is opportunistically installing apps on older devices.”

Shaun Waterman

Written by Shaun Waterman

Contact the reporter on this story via email, or follow him on Twitter @WatermanReports. Subscribe to CyberScoop to get all the cybersecurity news you need in your inbox every day at

Latest Podcasts