Archer

 

Your phone could be secretly downloading apps behind your back, thanks to a new kind of malware.

 

Your phone may be cheating on you. Downloading secret apps and leaving positive reviews of those apps online—all without your knowledge. 

The scoundrel behind this mischief is ‘Gooligan,’ a mix of hooligan and Google, and has taken over more than a million Google accounts through their Android devices, according to Check Point Software Technologies. 

It’s still going, at a rate of 13,000 newly infected phones a day, Check Point researchers said in a post

“We believe that it is the largest Google account breach to date, and we are working with Google to continue the investigation,” Check Point wrote.

Here’s what you need to know to check your phone and keep it Gooligan-free.

 

gooligan-banker-star

Banker Star of Las Vegas is one of the Gooligan apps, according to Check Point researchers. 

 

Phones affected by Gooligan:

Devices using Android 4 (Jelly Bean, KitKat) and 5 (Lollipop).

These make up more than 70% of Android devices currently in use, according to Check Point.

How to check

Go to this link and type in your Google e-mail address. Check Point will tell you if your phone is infected and how to get rid of it. If it is not infected, you will receive a message saying your account was not breached, along with an ad for a Check Point security product.

 

googligan-checker

An image of the Gooligan checker from Check Point.

 

What Gooligan does

The malware takes over your device, then starts installing apps from Google Play. It will rate the app as you, giving it high marks.

“Good game,” your phone might write for you, under your name. Or, “Cleans my phone up great.”

One of the apps downloaded by Gooligan is Power Saver-Battery Lite, which gets a 4.3 rating, thanks to the phones of thousands of unwitting victims, the report said.

Gooligan can also trick the system and download an app twice on your phone.

The malware can also let attackers into your sensitive data from Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite, Check Point said.

 

gooligan-app

The Power Savery-Batter Lite is one of the apps downloaded by Gooligan, according to Check Point. 

 

Why the attackers do it

The malicious hackers get money for installing the apps. 

Gooligan makes other people’s phones download at least 30,000 apps every day, a total of more than two million apps since the attack began, Check Point said.

“The malware simulates clicks on app advertisements provided by legitimate ad networks and forces the app to install on a device,” researchers said. “An attacker is paid by the network when one of these apps is installed successfully.”

How you get it

You may get Gooligan when you install a legitimate-looking app from a third-party Android app store, Check Point said. The app secretly hides the Gooligan malware.

“These stores are an attractive alternative to Google Play because many of their apps are free, or offer free versions of paid apps,” researchers said. “However, the security of these stores and the apps they sell aren’t always verified.”

You may also get it through a phishing scam. The bad guys may send you a message with a link to the infected apps. If you click and download the app, you could have Gooligan.

 

gooligan-review

A review from a Gooligan victim who discovered an app was installed on their phone without his or her permission, according to Check Point.

 

How you get rid of it

If you have it, you will need to flash your phone, in other words, do a clean installation of your operating system.

“As this is a complex process, we recommend powering off your device and approaching a certified technician, or your mobile service provider, to request that your device be ‘re-flashed,’” the post said.

Then you will need to change your Google account password.

What Google is doing

Google has had a problem with this family of malware before, called Ghost Push.

The company is removing Ghost Push apps from Google Play, along with the apps that soak up the riches from fake installs, Google’s Adrian Ludwig said in a post.

Google has notified affected users, he added, and is giving them instructions on how to sign back in securely.

“We’ve deployed Verify Apps improvements to protect users from these apps in the future,” Ludwig wrote. “Even if a user tries to install an offending app from outside of Play, Verify Apps has been updated to notify them and stop these installations.”

Plus, the company is working with Internet service providers to destroy the Internet infrastructure Ghost Push malware is using, he said.

 

gooligan-puzzle-bubble

Puzzle Bubble Pet Paradise is one of the Gooligan apps, Check Point reported.

 

The good news

There is no evidence the malware is trying to steal your data or sensitive information, Ludwig said.

“The motivation behind Ghost Push is to promote apps, not steal information, and that held true for this variant,” he wrote.

In addition, Gooligan will only affect your Android device if you have enabled app installations from unknown sources, according to Forbes.

“If the phone or tablet you’re using already runs Android 6 Marshmallow or you’ve got a shiny, new Pixel running Nougat, you’re safe even if you do allow app installs from unknown sources,” Lee Mathews wrote in Forbes.

Suspicious apps

Here is a list of apps infected by Gooligan, according to Check Point. If you have one of these apps on your Android phone, you may also have malware.

Perfect Cleaner

Demo

WiFi Enhancer

Snake

gla.pev.zvh

Html5 Games

Demm

memory booster

แข่งรถสุดโหด

StopWatch

Clear

ballSmove_004

Flashlight Free

memory booste

Touch Beauty

Demoad

Small Blue Point

Battery Monitor

清理大师

UC Mini

Shadow Crush

Sex Photo

小白点

tub.ajy.ics

Hip Good

Memory Booster

phone booster

SettingService

Wifi Master

Fruit Slots

System Booster

Dircet Browser

FUNNY DROPS

Puzzle Bubble-Pet Paradise

GPS

Light Browser

Clean Master

YouTube Downloader

KXService

Best Wallpapers

Smart Touch

Light Advanced

SmartFolder

youtubeplayer

Beautiful Alarm

PronClub

Detecting instrument

Calculator

GPS Speed

Fast Cleaner

Blue Point

CakeSweety

Pedometer

Compass Lite

Fingerprint unlock

PornClub

com.browser.provider

Assistive Touch

Sex Cademy

OneKeyLock

Wifi Speed Pro

Minibooster

com.so.itouch

com.fabullacop.loudcallernameringtone

Kiss Browser

Weather

Chrono Marker

Slots Mania

Multifunction Flashlight

So Hot

Google

HotH5Games

Swamm Browser

Billiards

TcashDemo

Sexy hot wallpaper

Wifi Accelerate

Simple Calculator

Daily Racing

Talking Tom 3

com.example.ddeo

Test

Hot Photo

QPlay

Virtual

Music Cloud