'Gooligan' virus infects 1 million Android phones

A new variant of Android malware dubbed ‘Gooligan’ is out, and spreading fast--by one estimate, it’s already infected more than 1 million smartphones and counting.

Check Point Software said hackers target their victims by getting them to download a Gooligan-infected app from a third-party app store or getting them to click on a malicious link in a phishing message. Once the virus is in, it’s capable of rooting the user’s phone, stealing their email address and password and using the phone’s security token to download new apps from Google Play.

Check Point estimates the virus infects 13,000 Android phones and automatically downloads more than 30,000 apps per day. It targets phones running Android 4 and 5, which together power nearly three out of four Android phones in use today.

“This theft of over a million Google account details is very alarming and represents the next stage of cyber-attacks,” Check Point executive Michael Shaulov said in a statement. “We are seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them.”

In a lengthy post on Google+, Adrian Ludwig, Google’s director of Android security, said the company found no evidence that hackers had used stolen usernames and passwords to pull data from people’s accounts. They also didn’t find evidence hackers are specifically targeting their victims--rather, they’re opportunistically targeting people with older Android operating systems with the goal of driving app downloads for money.

Ludwig added Google has removed apps from Google Play that spread the virus and removed apps from developers who paid to get their software automatically installed on infected phones. Additionally, the company revoked security tokens from affected users, and gave them instructions on how to regain control of their credentials.

Fixing a phone that’s been infected by Gooligan isn’t easy. The software was designed to bury itself deep in the phone’s operating system and delete files in its wake that would make the virus easy to discover and remove. People who suspect they’ve been infected by the virus need to take their phone to an authorized service center for a process called re-flashing.

Gooligan is one variant of a larger family of Android malware called Ghost Push. Check Point said it’s been tracking Ghost Push viruses since discovering it last year in SnapPea, an app that was marketed as legitimate software.

Last year, a man who claimed to be a SnapPea customer wrote in Facebook poston the company’s wall describing how the app seemed to be installing other apps on its own.

“No sooner did I run Snappea then moments later I started getting [potentially unwanted program] warnings from Malwarebytes (I must've missed the notifications the first time) and the apps started installing again,” the customer wrote. “I uninstalled them, waited a little while, they didn't come back. But playing a hunch I plugged my device back into Snappea and sure enough they started installing again!”

SnapPea, which is based in China, did not immediately respond to a request for comment.

Check Point estimates the Holligan virus has automatically downloaded more than 2 million apps to Android phones to date. The company created a website for people to check if their accounts have been compromised by the virus: https://gooligan.checkpoint.com/