If you’re in the habit of installing applications from third party app stores (meaning not from the Google Play Store) then you might want to listen to this. Apparently there’s a new malware in town going by the name of Gooligan, which is capable of doing nasty things to your Google account.

Gooligan was unearthed by security firm Check Point Research and according to them the vulnerability already breached more than 1 million Google accounts.

This is how it all works. Users install apps from unofficial sources which get the malware onboard of the phone. From there Gooligan ends up stealing email information and authentication tokens for accessing Google accounts. Hackers can use that information to install apps from the Google Play Store on the device in order to boost in-app advertising revenue. This is done without the user’s knowledge or consent.


Check Point also noted attackers can also use the information to get data from Google Play, Gmail, Google Photos, Google Docs and Google Drive.

The search firm says that numbers of breached accounts are rising by 13,000 emails on a daily basis. Check Point also claims it has notified Google of the problem.

What’s even worse is that Gooligan is said to be capable of injecting code into the Google Play Store, thus spreading its venom onto the apps that are supposed to be safe. In order to monetize these infected apps, attackers are flooding them with ads. The malware also forced devices to leave positive reviews and high ratings for the infected apps on Google Play.

Check Point calls this the “largest Google account breach to date” with the majority of infected devices located in Asia (57%), although 28% are said to be located in the Americas/Europe.


However, we should note one important detail. Only devices running Android Lollipop or older are affected. So if you have Marshmallow or Nougat running on your phone or tablet, you should be safe from Gooligan.

However, according to Google’s recent numbers, more than 75% of Android users are currently running Lollipop or lower.

Google’s Director or Android Security, Adrian Ludwig has already reached out to uses, saying that Google has worked closely with Check Point in order to come up with ways to protect users against the Gooligan thread.


The search giant has revoked affected tokens and has been using Verify Apps on Android devices to block Gooligan-infected apps. When malicious activity is detected, owners receive a warning and installations are halted.

Back in 2015, Google noted in its Android security report that a third of Android apps downloaded via third-party app stores were infected with Ghost Push. Well Gooligan is an even more aggressive version of Ghost Push.


If you too have downloaded apps from non-Google Play app stores, you can go ahead and visit Check Point’s blog post to see the list of 86 apps known to have been infected with Gooligan. You can also use this tool to see whether your account has been affected.

Check Point also advertises its own Mobile Thread Prevention tool which is said to “keep Android and iOS devices connected to your organization’s network safe from advanced attacks like Gooligan.” Users can request a free demo. Got to monetize such a big malware campaign, right?

Note: Select outbound links may include affiliate tracking codes and AndroidGuys may receive compensation for purchases. Read our policy. As an Amazon Associate we earn from qualifying purchases.