What you need to know about ‘Gooligan’
Your phone could be secretly downloading apps behind your back, thanks to a new kind of malware.
Your phone may be cheating on you. Downloading secret apps and leaving positive reviews of those apps online—all without your knowledge.
The scoundrel behind this mischief is ‘Gooligan,’ a mix of hooligan and Google, and has taken over more than a million Google accounts through their Android devices, according to Check Point Software Technologies.
It’s still going, at a rate of 13,000 newly infected phones a day, Check Point researchers said in a post.
“We believe that it is the largest Google account breach to date, and we are working with Google to continue the investigation,” Check Point wrote.
Here’s what you need to know to check your phone and keep it Gooligan-free.
Banker Star of Las Vegas is one of the Gooligan apps, according to Check Point researchers.
Phones affected by Gooligan:
Devices using Android 4 (Jelly Bean, KitKat) and 5 (Lollipop).
These make up more than 70% of Android devices currently in use, according to Check Point.
How to check
Go to this link and type in your Google e-mail address. Check Point will tell you if your phone is infected and how to get rid of it. If it is not infected, you will receive a message saying your account was not breached, along with an ad for a Check Point security product.
An image of the Gooligan checker from Check Point.
What Gooligan does
The malware takes over your device, then starts installing apps from Google Play. It will rate the app as you, giving it high marks.
“Good game,” your phone might write for you, under your name. Or, “Cleans my phone up great.”
One of the apps downloaded by Gooligan is Power Saver-Battery Lite, which gets a 4.3 rating, thanks to the phones of thousands of unwitting victims, the report said.
Gooligan can also trick the system and download an app twice on your phone.
The malware can also let attackers into your sensitive data from Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite, Check Point said.
The Power Savery-Batter Lite is one of the apps downloaded by Gooligan, according to Check Point.
Why the attackers do it
The malicious hackers get money for installing the apps.
Gooligan makes other people’s phones download at least 30,000 apps every day, a total of more than two million apps since the attack began, Check Point said.
“The malware simulates clicks on app advertisements provided by legitimate ad networks and forces the app to install on a device,” researchers said. “An attacker is paid by the network when one of these apps is installed successfully.”
How you get it
You may get Gooligan when you install a legitimate-looking app from a third-party Android app store, Check Point said. The app secretly hides the Gooligan malware.
“These stores are an attractive alternative to Google Play because many of their apps are free, or offer free versions of paid apps,” researchers said. “However, the security of these stores and the apps they sell aren’t always verified.”
You may also get it through a phishing scam. The bad guys may send you a message with a link to the infected apps. If you click and download the app, you could have Gooligan.
A review from a Gooligan victim who discovered an app was installed on their phone without his or her permission, according to Check Point.
How you get rid of it
If you have it, you will need to flash your phone, in other words, do a clean installation of your operating system.
“As this is a complex process, we recommend powering off your device and approaching a certified technician, or your mobile service provider, to request that your device be ‘re-flashed,’” the post said.
Then you will need to change your Google account password.
What Google is doing
Google has had a problem with this family of malware before, called Ghost Push.
The company is removing Ghost Push apps from Google Play, along with the apps that soak up the riches from fake installs, Google’s Adrian Ludwig said in a post.
Google has notified affected users, he added, and is giving them instructions on how to sign back in securely.
“We’ve deployed Verify Apps improvements to protect users from these apps in the future,” Ludwig wrote. “Even if a user tries to install an offending app from outside of Play, Verify Apps has been updated to notify them and stop these installations.”
Plus, the company is working with Internet service providers to destroy the Internet infrastructure Ghost Push malware is using, he said.
Puzzle Bubble Pet Paradise is one of the Gooligan apps, Check Point reported.
The good news
There is no evidence the malware is trying to steal your data or sensitive information, Ludwig said.
“The motivation behind Ghost Push is to promote apps, not steal information, and that held true for this variant,” he wrote.
In addition, Gooligan will only affect your Android device if you have enabled app installations from unknown sources, according to Forbes.
“If the phone or tablet you’re using already runs Android 6 Marshmallow or you’ve got a shiny, new Pixel running Nougat, you’re safe even if you do allow app installs from unknown sources,” Lee Mathews wrote in Forbes.
Here is a list of apps infected by Gooligan, according to Check Point. If you have one of these apps on your Android phone, you may also have malware.
Small Blue Point
Puzzle Bubble-Pet Paradise
Wifi Speed Pro
Sexy hot wallpaper
Talking Tom 3