The Check Point labs have discovered a major new threat to all Android smartphones. It is Gooligan, a new variant of malware that threatens the safety of more than one million Google account. This threat makes rooting Android devices and steal email addresses and authentication tokens stored in them. In possession of this information, hackers can gain access to the most sensitive information of users on Gmail, Google Photos, Google Docs, Google Play, and Google Drive Suite G.

Check Point immediately he informed the Google security team about this attack. “We appreciate the contribution of Check Point, and we have partnered to fully understand and address this problem. As part of our ongoing commitment to help protect customers from malware Ghost Push variant, we have taken numerous steps to defend and improve the overall safety of the ecosystem Android “says Adrian Ludwig, director of security for Google Android.

The Check Point Mobile Research team discovered the Gooligan code for the first time in the app malevolent SnapPea, last year. Last August, the malware has reappeared in the form of a new variant, and since then has infected at least 13,000 devices per day. Approximately 57% of these devices is found in Asia, while about 9% is in Europe. Hundreds of email addresses at risk all over the world are associated with corporate email.


The infection begins to spread when a user downloads and installs an app on a vulnerable Gooligan infected Android device, or click a link to malicious content in a phishing message.

key data:

  • The malware infected every day 13,000 devices, and for the first time made the rooting of more than a million devices
  • Hundreds of email addresses all over the world are associated with Company accounts
  • Gooligan affects devices with Android version 4 (Jelly Bean, KitKat) and 5 (Lollipop), ie about 74% of Android devices in use today
  • After gaining total control of the device, hackers generate revenue with the illegal installation of apps from Google Play, making them pay to the victim.
  • Gooligan every day install at least 30,000 apps on devices that affects, or more than 2 million apps from the start of the campaign

Among the various measures, Google has contacted the affected users and revoked their token, removed the affected apps from Google Play and has enriched Verify App technology with new defensive barriers.