Malware From Third Party Android App Stores Has Attacked Over 1m Google Accounts

google android

A new malware campaign has caused over 1m Google accounts to be breached.

This is according to a report by Israeli cyber security firm CheckPoint, who recently published research about a “new and alarming” malware campaign.

The attack campaign, known as Gooligan, is a new variant on a sophisticated malware Android campaign discovered last year.

Users can either install the malware from an infected app on a third party app store, or by directly tapping malicious links in a phishing campaign.

Once on a device, the malware collects data about the device and downloads a root kit that takes advantage of Android exploits on the 4 (Jelly Bean, KitKat) and 5 (Lollipop) operating systems to take control of the device.


Gooligan then downloads a malicious module from its command server that lets it “mimic user behaviour” so it can steal a user’s Google email & authentication token information, as well as install apps from Google Play and leave positive reviews to boost ratings.

In addition to this, the malware can even install adware to generate revenue.

And according to CheckPoint, stealing these authentication tokens can enable the malware to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite and Google Drive.

The security researchers said the aggressive malware is breaching 13,000 devices every day.

The majority (57%) of the 1m cases are said to be from Asia, where third party app stores are most popular, with 9% coming from Europe.


So far, CheckPoint has identified 86 apps infected by Gooligan – you can see the full list here.

The team reached out to Google with its research and the two companies are now collaborating to investigate the source of the malware.

In response to the report, Google’s director of Android security Adrian Ludwig said: “We’re appreciative of both Check Point’s research and their partnership as we’ve worked together to understand these issues.

“As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall.”

Despite this, in a report on the findings Ludwig said Google had found “no evidence of user data access”, and that the malware’s motiviation seems to be solely about promoting apps.

Ludwig said: “In addition to rolling back the application installs created by Ghost Push, we used automated tools to look for signs of other fraudulent activity within the affected Google accounts.

“None were found. The motivation behind Ghost Push is to promote apps, not steal information, and that held true for this variant.”

CheckPoint said Google was planning to proactively notify affected accounts, revoke affected tokens and deploy SafetyNet improvements to better protect users in the future.

The security researchers have also created a website for anyone who is worried their account might have been hacked, which you can visit here.

Read the full CheckPoint report here.

Simon Edmunds

Simon is the former editor of Global Dating Insights. Born in Newcastle, he has an English degree from Queen Mary, London and after working for the NHS, trained as a journalist with the Press Association. Passionate about music, journalism and Newcastle United.

Global Dating Insights is part of the Industry Insights Group. Registered in the UK. Company No: 14395769