WavebreakmediaMicro - Fotolia

How does Gooligan malware compromise Google accounts?

Android apps infected with Gooligan malware enable attackers to compromise the security of Google accounts. Expert Nick Lewis explains how users can protect themselves.

More than one million Google accounts had their security compromised by the Gooligan malware. Google updated Verify Apps in the Google Play Store to prevent users from installing apps infected with Gooligan. How did Gooligan breach these accounts, and what can be done to prevent tokens from being stolen?

Part of the standard security advice for mobile device users is to only install apps from approved app stores, like the Google Play Store for Android devices. Many pieces of mobile malware rely on people installing potentially malicious apps from outside of legitimate app stores. People might install mobile apps using third-party sites or directly from a developer for many different reasons, and this puts them at additional risk, as many mobile malware authors target these apps.

Check Point researchers blogged about the Gooligan malware attack, which starts when someone installs an infected app from outside the Google Play Store. Once the Gooligan malware is installed, it connects to a command-and-control server and downloads a rootkit to take complete control of the vulnerable Android device. Once it has control, it steals the user's Google email account and authentication token, which enables it to access the user's other Google accounts, such as Google Photos, Google Docs and Google Drive.

However, instead of stealing user account data, the malware downloads additional apps from the Google Play Store and leaves positive reviews for them in order to generate ad revenue for the attacker.

To protect your Android device from the Gooligan malware, only install apps from the Google Play Store, and do not approve app installations unless they are from the Google Play Store or an enterprise-approved third-party store. Users may want to periodically check to see if new apps were installed on their devices to make sure they didn't accidently install something malicious, and should use Check Point's Gooligan Checker to see if their account has been compromised.

Users affected by Gooligan malware should follow Check Point's recommended recovery steps -- flashing the device's OS and changing their Google account password. This is in addition to installing updates on Android devices and for apps installed via the Google Play Store. Users whose Google accounts may have been compromised by any new apps can refer to Google's instructions for help with account recovery.

Next Steps

Learn how mobile app developers can work to reduce security risks

Find out how the Mazar Android malware can gain control over devices

Discover how a malicious app bypassed the Google Play Store's security

This was last published in May 2017

Dig Deeper on Threats and vulnerabilities