More Than 1 Million Google Accounts Breached by Gooligan

Friday, 02 December 2016 15:38

As a result of a lot of hard work done by CheckPoint research teams, the new alarming malware campaign named Gooligan has been revealed today. Within this campaign Gooligan breached the security of over one million Google accounts and this number continues to rise at an additional 13,000 breached devices each day.

It is discovered that the malware roots infected devices and stole authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and other Google services.

Even though Google implement multiple authentication mechanisms, like two-factor-authentication in order to prevent attackers to breach the accounts, stolen authentication tokens for accessing Google services, bypass all these mechanisms and allow attacker to breach the account as it is supposed that user is already logged. CheckPoint reached out to the Google Security team immediately with information on this campaign, and they are working closely with Google to investigate the Gooligan campaign.

Who is affected?

Gooligan potentially affects devices on Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which is over 75% of in-market devices today.

Through the research it is identified tens of fake applications that were infected with this malware. If you’ve downloaded one of the apps from the link, below, you might be infected.

How do you know if your Google account is breached?

You can check your account on the following web page: If your account is breached, you should:

1. A clean installation of an operating system on your mobile device is required
2. Change your Google account passwords immediately after this process.

How do Android devices become infected?

Traces of the Gooligan malware code were found in dozens of legitimate-looking apps on third-party Android app stores. These stores are alternatives to Google Play because many of their apps are free, or offer free versions of paid apps. Gooligan-infected apps can also be installed using phishing scams where attackers broadcast links to infected apps to unsuspecting users. Check-Point-Gooligan-740639

How did Gooligan emerge?

CheckPoint research team first encountered Gooligan’s code in the malicious SnapPea app last year. In the summer of 2016 when the malware reappeared with a more complex architecture that injects malicious code into Android system processes. The malware simulates clicks on app advertisements provided by legitimate ad networks and forces the app to install on a device. An attacker is paid by the network when one of these apps is installed successfully.

How does Gooligan work?

The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device. After an infected app is installed, it sends data about the device to the campaign’s Command and Control (C&C) server. Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153). These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.

After achieving root access, Gooligan downloads a new, malicious module from the C&C server and installs it on the infected device. Mobile malware HummingBad module injects code into running Google Play or GMS (Google Mobile Services) to mimic user behavior so Gooligan can avoid detection. The module allows Gooligan to:

  1. Steal a user’s Google email account and authentication token information

  2. Install apps from Google Play and rate them to raise their reputation

  3. Install adware to generate revenue

The malware also fakes device identification information, such as IMEI and IMSI, to download an app twice and thereby doubling the potential revenue.

Gooligan has breached over a million Google accounts and it is believed that it is the largest Google account breach to date. We encourage Android users to validate whether their accounts have been breached at but also to install quality anti-virus protection such as CheckPoint ZoneAlarm.

CheckPoint rješenja mogu zaštiti korisnike od Gooligan malwarea, a EMC d.o.o., kao CheckPoint partner, Vam može pomoći u implementaciji ovih rješenja.


Appendix A: List of fake apps infected by Gooligan