Gooligan is a family of Android malware first discovered in malicious applications in 2015. Once infected by the malicious app, the malware attempts to contact its command and control (C2) servers to send user and device data. Gooligan then installs additional applications onto the device used for Adware – software that downloads or displays unwanted ads when a user is online, collects marketing data, and other information. The malware executes 12 exploits in order to gain root access to the Android device. It uses several evasion techniques including hiding its main code logic in system code folders and reinstalling itself after a removal attempt. In November 2016, Gooligan was used in a malware campaign to breach over one million Google accounts. This malware is distributed via malicious third-party apps and phishing campaigns. Once infected, Gooligan collects data about the device and installs rootkits. The malware then roots the devices and steals email accounts and authentication tokens in order to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, and Google Drive, among other applications. Additionally, Gooligan can inject code into Google Play and download fraudulent apps. The malware campaign affects devices on Android 4, Jelly Bean and KitKat, and Android 5, Lollipop. Just over half of the victims are located in Asia and about 19 percent are in the Americas.


  • July 2015: Newly discovered Gooligan malware infects users via the malicious SnapPea app. (Check Point)
  • November 2016: Gooligan breaches one million Google accounts. (Check Point)

Technical Details

  • Check Point provides technical details on the Gooligan malware, here

One example of the Gooligan variant. Image Source: Check Point