Android Malware Steals Authentication Tokens to Compromise More Than 1 Million Google User Accounts
Researchers from Check Point Software Technologies shared details on Wednesday of new Android malware that has compromised more than a million Google Accounts.
Dubbed Gooligan by the security firm, the malware targets devices running Android 4 and 5, which represent nearly 74 percent of Android devices currently in use.
According to Check Point, the mobile malware can steal authentication tokens stored on devices which can be used to access sensitive data from Gmail, Google Photos, Google Docs and other services, including G Suite.
Check Point’s research team originally discovered Gooligan’s code in a malicious app called SnapPea last year. They discovered a new variant in August 2016 which they say is infecting 13,000 Android devices per day, with approximately 57 percent of infected devices located in Asia and about nine percent in Europe.
“The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device, or by clicking on malicious links in phishing attack messages,” Check Point explained in a blog post.
After gaining control over the Android device, the cybercriminals behind Gooligan make money by fraudulently installing apps from Google Play and rating them on behalf of the victim, Check Point said. Gooligan installs at least 30,000 apps daily on compromised devices, totaling more than 2 million apps since the campaign first kicked off.
“If your account has been breached, a clean installation of an operating system on your mobile device is required. This complex process is called flashing, and we recommend powering off your device, and approaching a certified technician or your mobile service provider, to re-flash your device,” said Michael Shaulov, Check Point’s head of mobile products.
Check Point has made available a free online tool that allows users to check if their account has been breached by Gooligan.
In related Android security news, Palo Alto Networks shared details on a recently discovered Android Trojan dubbed “PluginPhantom” that abuses a legitimate plugin framework to update itself and evade static detection. According to to the network security firm, PluginPhantom focuses on data theft and is capable of stealing files, contacts, location data and Wi-Fi information, while also being able to take photos, capture screenshots, intercept and send SMS messages, record audio and log keystrokes.

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.
More from Mike Lennon
- Watch Now: Threat Detection and Incident Response Virtual Summit
- Registration Now Open: 2023 ICS Cybersecurity Conference | Atlanta
- NetRise Adds $8 Million in Funding to Grow XIoT Security Platform
- Virtual Event Today: Zero Trust Strategies Summit
- Virtual Event Tomorrow: Zero Trust Strategies Summit
- Watch: How to Build Resilience Against Emerging Cyber Threats
- Video: How to Build Resilience Against Emerging Cyber Threats
- Webinar Today: Understanding Hidden Third-Party Identity Access Risks
Latest News
- Chrome 114 Released With 18 Security Fixes
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
- Breaking Enterprise Silos and Improving Protection
- Spyware Found in Google Play Apps With Over 420 Million Downloads
- Millions of WordPress Sites Patched Against Critical Jetpack Vulnerability
- Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery
- PyPI Enforcing 2FA for All Project Maintainers to Boost Security
- Personal Information of 9 Million Individuals Stolen in MCNA Ransomware Attack
