The Android malware that struck a million Google accounts

If you haven’t heard about Gooligan, you should. Here’s what you need to know.

Portrait of Tammy Strobel
My Reading Room

If you haven’t heard about Gooligan, you should. Here’s what you need to know.

Back in December, cybersecurity firm Check Point published their findings about Gooligan, a malware that infects Android OS devices. The report showed that Gooligan has already infected more than a million Google accounts (the e-mail address you use to setup your Android phone) around the world.

Affected devices were running Android OS 4.x (Ice Cream Sandwich, Jelly Bean, KitKat) and 5.0 (Lollipop) – which makes up 74% of all existing Android devices, according to Android’s developer blog. 57% of the infected devices are located in Asia. Gooligan works by riding in on infected apps or malicious URLs.

Once a phone is infected, Gooligan will download a rootkit from their attacker’s servers. A successful rooting will grant the attacker full control and privileged access to the infected phone. Gooligan will then get to work by injecting code to mimic user behavior in order to avoid detection, while it does the following:

• Stealing a user’s Google email account and authentication token information.

• Installing apps from Google Play and rate them to raise their reputation.

• Installing adware to generate revenue.

The end result is a compromised phone and Google account. This means having your Gmail’s contents hacked, Google Play account details compromised, and Google Drive documents leaked. Before Gooligan goes any further, here are some steps by Check Point that can help you save your phone: Go to to ascertain if your Google account has been compromised by the malware.

If you are, send your device to a professional technician for a ROM flashing. A flash basically wipes the phone’s operating system and reinstalls it, which is something far beyond a simple hard erase and reset of all your personal data. Since Gooligan uses a rootkit to burrow into Android OS itself, flashing the OS becomes a must.

Once flashing is complete, change your Google account password. If you’re not affected, that’s great. It’s worth noting that Gooligan gains initial access via third-party apps found outside of the Google Play Store, so it helps if you refrain from downloading unverified apps for a while.