MalwareMore than 1 million Google accounts breached by Gooligan malware campaign

Published 1 December 2016

Check Point Research Team says that on Tuesday, hard work done by the company’s security research teams revealed a new and alarming malware campaign. The attack campaign, named Gooligan, breached the security of over one million Google accounts. The number continues to rise at an additional 13,000 breached devices each day. The company’s research exposes how the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.

Check Point Research Team says that on Tuesday, hard work done by the company’s security research teams revealed a new and alarming malware campaign. The attack campaign, named Gooligan, breached the security of over one million Google accounts. The number continues to rise at an additional 13,000 breached devices each day.

The company’s research exposes how the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.

Gooligan is a new variant of the Android malware campaign found by Check Point researchers in the SnapPea app last year.

Check Point reached out to the Google Security team immediately with information on this campaign, and the researchers are working with Google to investigate the source of the Gooligan campaign.

Check Point says it is encouraged by the statement Google shared with the company addressing the issue. Google also stated that they are taking numerous steps including proactively notifying affected accounts, revoking affected tokens and deploying SafetyNet improvements to protect users from these apps in the future.

Who is affected?
Gooligan potentially affects devices on Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which is over 74 percent of in-market devices today. About 57 percent of these devices are located in Asia and about 9 percent are in Europe.

Check Point research identified tens of fake applications that were infected with this malware. If you have downloaded one of the apps listed in Appendix A, below, you might be infected. You may review your application list in “Settings -> Apps,” if you find one of this applications, please consider downloading an antivirus product such as Check Point ZoneAlarm to check if you are indeed infected.

Check Point has noticed that hundreds of the email addresses are associated with enterprise accounts worldwide.

How do you know if your Google account is breached?
You can check if your account is compromised by accessing the following Web site Check point has created: https://gooligan.checkpoint.com/.

If your account has been breached, the following steps are required:

1. A clean installation of an operating system on your mobile device is required (a process called “flashing”). As this is a complex process, Check Point recommends powering off your device and approaching a certified technician, or your mobile service provider, to request that your device be “re-flashed.”
2. Change your Google account passwords immediately after this process.