| Home - Virus Alerts|
It has been reported that the malware named Gooligan, is infecting vulnerable android devices and compromising large number of google
accounts. Gooligan pretends to be a legitimate Android App and trick users to install the app which results in infecting the Android
device. Other infection mechanism used by the malware is use of phishing mails, SMS or other messaging services containing malicious link
to download Gooligan-infected app from untrusted app. Once the device is compromised, it will then install several other unwanted apps
which cannot be removed easily. These apps remain persistent on device even after performing factory reset of the phone.
Android Malware Gooligan/Ghost Push
Original Issue Date:December 06, 2016
Updated: March 12, 2018
Virus Type: Trojan/ Rootkit
It has also been reported that the Gooligan malware code is found is in dozens of legitimate-looking apps found on third-party Android app
stores. These Android app stores are an alternative to Google Play offering many free apps and free versions of paid apps. The security of
these alternative Android app stores and offered apps are not verified always.
Upon installing an infected app, it sends affected device information to the Command and Control (C&C) server. Later, Gooligan downloads a
rootkit from C&C server which takes advantage of multiple Android version 4 and 5 exploits including VROOT (CVE-2013-6282) and Towelroot
(CVE-2014-3153) vulnerabilities. Exploitation of these vulnerabilities leads to the successful rooting of the android device allowing
attacker to have full control of the infected device.
The malware is capable of performing the following functions:
The malware life cycle depicting its initial source of infection and its later impacts is shown below:
- Install adware to generate revenue.
- Install apps from Google play and rate them to raise their reputation.
- Slowdowns the compromised device performance
- Degrades battery life of the infected device.
- Excessive use of phone's storage due to installation of unwanted apps unknowingly.
- Excessive data usage.
- Capable of injecting code into running Google Play and google mobile services to mimic users behavior and avoid detection,
- Notifications regarding the stealing of account credentials of the infected device.
- Steal authentication tokens from the infected device and attempts to gain access to user's sensitive data from synchronized accounts,
google drives, G suite, Google Photos, Google Docs, etc.
- Capable of rooting the compromised device.
- Make network connections to download further malware and send stolen information.
One of the fraudulent app installed by the malware is shown below:
Note: Android phone users may check their account for infection with "Gooligan" at
List of apps infected by Gooligan:
Users are requested to check the installed apps in their respective devices. If any of the above listed apps are found kindly go to the
countermeasures section and take the appropriate prevention or cleaning measure.
- Scan the suspected device with antivirus solutions to detect and clean infections.
- Disable the account synchronization option in the infected device
- Log out of all the synchronized accounts such as Gmail, Facebook, etc and changed their password using a clean system. Also enable 2-
factor authentication mechanism for additional security.
- Try to clean the infection using factory resets option, if it does not work then go for firmware reflashing toinstall the fresh
operating system on the mobile device. Before reflashing take backup of your important information such as contacts, messages, images etc.
to external device.
- Perform the reflashing of all other devices for which these accounts are synchronized.
- Do not download and install applications from untrusted sources. Install applications downloaded from reputed application market only.
- Do not click on banners or pop¬up or ads notifications.
- Turn on 2-factor authentication for your Google/other account.
- Run a full system scan on device with mobile security solution or mobile antivirus solution.
- Check for the permissions required by an application before installing.
- Exercise caution while visiting trusted/untrusted sites for clicking links.
- Install Android updates and patches as and when available from Android device vendors Install and maintain updated mobile
- Users are advised to use device encryption or encrypting external SD card feature available with most of the android OS.
- Users are advised to keep an eye on Data usage (application wise usage also) and unusual increase in mobile bills.
- Users are advised to keep an eye on device battery usage (application wise usage also).
- Load Flash content on demand.
- Use Android Device Manager to locate, remotely lock, or erase your device.
- Avoid using unsecured, unknown Wi¬Fi networks. There may be rogue Wi¬Fi access points at public places used for distributing malicious
- Refer to security tips for mobile Phone:
The information provided herein is on "as is" basis, without warranty of any kind.
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003