Connect with us

Hi, what are you looking for?


Mobile & Wireless

“Gooligan” Android Malware Steals Authentication Tokens to Hack User Accounts

Android Malware Steals Authentication Tokens to Compromise More Than 1 Million Google User Accounts

Android Malware Steals Authentication Tokens to Compromise More Than 1 Million Google User Accounts

Researchers from Check Point Software Technologies shared details on Wednesday of new Android malware that has compromised more than a million Google Accounts.

Dubbed Gooligan by the security firm, the malware targets devices running Android 4 and 5, which represent nearly 74 percent of Android devices currently in use.

According to Check Point, the mobile malware can steal authentication tokens stored on devices which can be used to access sensitive data from Gmail, Google Photos, Google Docs and other services, including G Suite.

Check Point’s research team originally discovered Gooligan’s code in a malicious app called SnapPea last year. They discovered a new variant in August 2016 which they say is infecting 13,000 Android devices per day, with approximately 57 percent of infected devices located in Asia and about nine percent in Europe.

“The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device, or by clicking on malicious links in phishing attack messages,” Check Point explained in a blog post.

After gaining control over the Android device, the cybercriminals behind Gooligan make money by fraudulently installing apps from Google Play and rating them on behalf of the victim, Check Point said. Gooligan installs at least 30,000 apps daily on compromised devices, totaling more than 2 million apps since the campaign first kicked off.

Advertisement. Scroll to continue reading.

“If your account has been breached, a clean installation of an operating system on your mobile device is required. This complex process is called flashing, and we recommend powering off your device, and approaching a certified technician or your mobile service provider, to re-flash your device,” said Michael Shaulov, Check Point’s head of mobile products.

Check Point has made available a free online tool that allows users to check if their account has been breached by Gooligan. 

In related Android security news, Palo Alto Networks shared details on a recently discovered Android Trojan dubbed “PluginPhantom” that abuses a legitimate plugin framework to update itself and evade static detection. According to to the network security firm, PluginPhantom focuses on data theft and is capable of stealing files, contacts, location data and Wi-Fi information, while also being able to take photos, capture screenshots, intercept and send SMS messages, record audio and log keystrokes.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.