InsightPortal Logo


'Gooligan' malware infects one million Android devices

The malware exploits two unpatched Android vulnerabilities.

New malware, dubbed Gooligan, has infected at least one million Android devices. The malicious program has been spread by a huge phishing campaign, which exploits two unpatched vulnerabilities in the Android OS. Approximately 74% of Android devices are believed to be at risk; namely, ones that are running on Android 4.x (Ice Cream Sandwich, Jelly Bean, and KitKat) and 5.x (Lollipop).

To be at risk, a user firstly has to download a Gooligan-infected application. Most of these will be found in unsafe third-party app stores, but can also be installed by clicking on unknown links. Next, Gooligan downloads a rootkit which exploits two vulnerabilities; Towelroot (CVE-2014-3153) and VROOT (CVE-2013-6282). The root access allows the hacker to remotely execute commands.

After all the necessary malware components are downloaded successfully, Gooligan steals the users email information and Google account authorisation tokens. However, instead of accessing data, hackers use the tokens to earn money by installing applications from the Play Store. This is done through advertising in the downloaded applications. To avoid detection on the Play Store, the malware automatically leaves good reviews on the downloaded application.

Fortunately, the malware seems not interested in personal data. The Director of Security at Android, Adrian Ludwig, stated “…we used automated tools to look for signs of other fraudulent activity within the affected Google accounts. None were found.” Gooligan’s main goal is to earn the hackers money, not steal the victim’s information.

The total of one million compromised devices is believed to be the biggest Google account breach to date.

QTF Recommendation: As always, being unware of potential risks online is a very big issue. Everyone, no matter which operating system is used, should always avoid downloading anything from unofficial third-party app stores and clicking on unverified or untrustworthy links and files. Additionally, if possible, users should always look to update their applications whenever a new update is released, to stay up to date on all security fixes. Android users are advised to use Check Point’s Gooligan Checker to see if their account has been compromised.


Impact Rating: 3