Gooligan hooligans have compromised at least one million Google accounts

Quite possibly the largest Google account breach to date.

David bisson
David Bisson

Gooligan hooligans have compromised at least one million Google accounts

Attackers are using an Android malware campaign known as Gooligan to target Android users and breach the security of their Google accounts.

So far, the malicious hackers have compromised one million Google accounts, but each day, they hack an additional 13,000 devices.

Info 3 revised 11 29 copy 1 768x512

A Gooligan infection begins one of two ways. Android users might tap on a malicious link sent to them in a phishing email, or they could download a fake app from a third-party store.

Let’s face it: there’s no good that can come from apps with names like “Sex Photo,” “com.example.ddeo,” and “Test.”

Sign up to our free newsletter.
Security news, advice, and tips.

Upon successful infection, Gooligan sends data about the infected device to its command and control server. It’s then that the malware gets down and dirty.

As the Check Point research team explains in a blog post:

“Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153). These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.”

But the attackers don’t stop there. They download a module onto the device that injects code into Google Mobile Services so as to mimic user behavior and thereby avoid detection, something researchers observed first with Hummingbad.

The module grants attackers the ability to load up adware, download apps and positively rate them in an attempt to generate revenue, and steal a user’s Google authorization token.

An example of fake reviews and comments to one of the fraudulent applications. (Source: Check Point)

Wait… a Google authorization token? What’s that?

It’s essentially something that grants an actor access to a Google account and the related services of a user. An authorization token allows someone to bypass two-step verification (2SV) and other measures that might be protecting a user’s account to access their Google Drive, Gmail, and other parts of their Google identity.

In other words, if you steal someone’s Google authorization token, you gain complete control over their account.

Check Point doesn’t mince its words when evaluating the seriousness of this campaign:

“Gooligan has breached over a million Google accounts. We believe that it is the largest Google account breach to date, and we are working with Google to continue the investigation. We encourage Android users to validate whether their accounts have been breached.”

Info 2 revised 11 23 16 copy 768x512

Users can check to see if Gooligan compromised their Google accounts by visiting If your account is affected, you should install a clean version of the Android operating system onto your phone, and then change your Google password.

Gooligan likes to hang around third-party app marketplaces, so in general, Android users might be safer downloading their apps only from the Google Play Store and should never click on suspicious links.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

4 comments on “Gooligan hooligans have compromised at least one million Google accounts”

  1. Bob

    Not a week goes by without us hearing about another serious Android vulnerability.

    I wish Google would get their act together and secure their OS and Play Store.

    Bad security affects everybody.

    1. Matthew · in reply to Bob

      This attack has nothing to do with their store. And it is the carriers and OEMs who fail to make patches available to end users.

      1. Bob · in reply to Matthew

        Matthew, I'm referring generally to Google's lax attitude towards Android security.

        There are many pieces of malware lurking in the Play Store which have been the feature of successful infection campaigns.

        It is carriers and OEMs who delay the rollout of patches however sometimes Google themselves delay the release.

        Full disk encryption is a relatively new concept having been present in iOS and Blackberry devices for years. Hell, not all new Androids fully support encryption.

    2. Spryte · in reply to Bob

      I have to agree.
      We use these devices everyday from playing solitaire to banking and investing our hard earned money.
      The big G needs to ensure that the apps we use to do all of these things are safe and secure to use. Even to the point of testing the apps and if there is an issue reaching out to the developers and telling them what is wrong or where there are deficiencies.

      After all they know ***everything*** don't they? ;)

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.