If you are using an Android smartphone or any other Android device, chances are that you have been attacked by an all new virus called Gooligan which has affected over a million Google accounts. The malware is extremely rampant among users of Android version 4 and Android version 5 – Android Ice Cream Sandwich (or ICS), Android Jelly Bean and Android Lollipop – which are the Android versions that are outdated but still widely used in older devices and extremely budget devices like smartphones and tablets. The research conducted by Checkpoint revealed that a large number of Android users were already affected by this Gooligan malware. The firm has also shared a long and complete research article of how the devices were affected and what all has been the data that has been compromised.

The news is definitely disconcerting as majority of Android users are budget phone users and many of them are used to running older software on their devices. According to Checkpoint, over 50 percent of the affected devices are from India. Currently, over 74 percent Android devices run the older Android versions that are affected that the numbers are seriously mind boggling. The Gooligan malware not only attacks your phone but since it attacks your Google account, it has access to all your sensitive data and files – including those stored in Gmail, Google Docs, Google Photos, etc. It steals even the authentication tokens rendering your multiple layers of authentication useless. It can also load viruses inside apps and download hidden malware apps on your device which can seriously affect the working of your phone.

The Gooligan malware was discovered last year but then, it has cropped up again this year. The malware was discovered in August 2016 this year and since then, it has been rampant on devices. Gooligan has been affecting over 13,000 Android devices daily, of which 57 percent are from Asia and 19 percent from the US, 15 percent from Africa and only 9 percent from UK. the malware is affecting Asia and USa the most. It gets auto downloaded when a user inadvertently clicks a spam link or downloads an app and it runs in the background. The Gooligan malware is not easily detectable. It even rates apps on Google play and posts malicious reviews on behalf of the Google account leading to the account being blocked by Google at times. Google has already been informed of the malware an it’s potential but there has so far not been any action taken against protecting these devices. Google aims to sell 3 million Google Pixel phones by the end of this year, aims for 6 million next year

The one problem with Google Android is the plethora of devices. It often becomes difficult for Google to track and monitor older versions and the security patches released by Google are reaching all devices over OTAs or not. Google recently announced that it’s devices are as safe as if not safer than iOS and looks like the claim is being put to test soon. According to the report by Checkpoint:

The attack campaign, named Gooligan, breached the security of over one million Google accounts. The number continues to rise at an additional 13,000 breached devices each day.

Our research exposes how the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.

Gooligan is a new variant of the Android malware campaign found by our researchers in the SnapPea app last year. Google claims Android as safe and secure as iOS, will soon be better!

Check Point reached out to the Google Security team immediately with information on this campaign. Our researchers are working closely with Google to investigate the source of the Gooligan campaign. 

But how do you know if your account is safe? Checkpoint has provided a link wherein you can check if your Google account is safe or is it affected. If your account has been breached, you need to clean it up. Here’s the process to clean your account:

  1. A clean installation of an operating system on your mobile device is required (a process called “flashing”). As this is a complex process, we recommend powering off your device and approaching a certified technician, or your mobile service provider, to request that your device be “re-flashed.”
  2. Change your Google account passwords immediately after this process.