If you needed yet another reminder not to install untrusted applications without fully knowing where they come from, here it is: researchers with Check Point Software Technologies recently published details on new Android malware named “Gooligan” that has compromised more than 1 million Google Accounts. Check Point said that figure is increasing by an additional 13,000 accounts as users continue to download infected applications.

Snap Point traced Gooligan’s roots back to an app named “SnapPea,” which it identified as malware last year. It has since popped up in “dozens of legitimate-looking apps on third-party Android app stores,” the research firm explained. Third party app stores aren’t controlled by Google, which is why Google always recommends its users download applications from Google Play, where they can be scanned for malware and other issues.


As Check Point explains, Android users often seek out illegitimate third-party app stores as a way to find free versions of paid applications. It might work most of the time, but it also exposes you to malware and, in this case, very dangerous malware that can gain access to your entire Google account. “Gooligan-infected apps can also be installed using phishing scams where attackers broadcast links to infected apps to unsuspecting users via SMS or other messaging services,” the company explained.

Check to see if your account is exposed to Gooligan

A device infected by Gooligan is potentially granting access to data stored in any of Google’s applications including Google Docs, Google Drive, Google Photos, Gmail and Google Play. The majority of infected accounts, 57 percent, are in Asia, according to Check Point. 19 percent of accounts originate in the Americas, 9 percent are infected in Europe and 15 percent of affected accounts are in Africa.

Attackers get more than private data, however. They can actually turn your Android device into a money-making machine. Check Point said attackers will first steal your account and authentication token information, and then use your credentials to install adware that ends up generating revenue. They also use infected accounts to “install apps from Google Play and rate them to raise their reputation.” That explains why you sometimes see really terrible apps with high ratings.

Check Point said it believes this is the “largest Google Account breach to date” and said it has alerted Google to the problem. “We’re appreciative of both Check Point’s research and their partnership as we’ve worked together to understand these issues,” Google’s director of Android security Adrian Ludwig told the researchers. “As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall.”

Check Point has a tool that allows you to check if your account is affected, so be sure to run yours through it (it was down at the time of publication, sadly enough, but be sure to check back.) Hit the source for more information, including a full list of apps that are infected with Gooligan.