Skip to main content

Gooligan got you worried? Take these steps to avoid another malware strike

Twitter: @edwardspbe

It seems that every time we turn around, there are reports of yet another mobile malware attack. In August 2016 we published an article on some Pokemon Go downloads from untrusted third party sites that resulted in hackers getting access to information on mobile phone locations, call information and more. Then, this past October, we reported on the Mirai botnet that compromised some IP cameras and digital video recorders (DVRs). And now, another malware attack has made headlines as being responsible for the biggest ever theft of Google accounts. This latest attack comes from an old malware adversary, which has become significantly more active in the second half of 2016 and was recently labelled Gooligan.

A new name for a well-known malware family

This latest attack, while concerning, is not necessarily surprising. Data from our latest Threat Intelligence report showed a 96% increase in mobile device infections in the first half of 2016. Infection rates hit an all-time high in April, reaching 1.06% of all mobile devices tracked. This may not sound like a lot but, based on recent market data, this translates to more than 22 million smartphones being affected.[1]

Further, nearly three-quarters (74%) of devices targeted for malware are running the Android™ operating system (OS) and, as highlighted by this most recent attack, one of the oldest families of Android malware continues to wreak havoc, five years after it was first devised.

Gooligan– the latest moniker assigned to the GhostPush family of Android malware – was originally exposed in 2011. Previously known as SnapPea, Qysly and GingerMaster, this malware is back in the media recently as the root cause of one million Google accounts being breached.[2] A sudden spike in GhostPush activity back in August would suggest a very effective Phishing campaign by the creators of the malware. The Googlian campaign typically arrives as an e-mail or SMS message, with offers that coax users to click on links resulting in app downloads.

Here’s how it works. Downloads are most often delivered via third-party app stores; never from Google Play. After one of the new apps is successfully installed on a device, the malware installs additional apps – without your permission. It will then proceed to collect e-mail account and authentication token information from your phone, providing access to the Google Suite of tools including Gmail, Photos, Google Drive, etc.

Securing the end-user experience

Nokia’s NetGuard EndPoint Security has been detecting various strains of this malware family for quite some time. Owing to its unique position as a network-based security tool, Nokia NetGuard Endpoint Security examines packets as they traverse the network, making the identification of malware patterns easier to detect.

As it turns out, even with a new name, packaging and functionality, elements of the GhostPush malware have remained unchanged. But one thing has remained constant – stolen information is transmitted by communicating with a Command and Control Server.

In recent months, Nokia NetGuard Endpoint Security has detected a spike in activity associated with both downloads and communications associated with Gooligan malware. Spikes like the ones shown in the graph below are not representative of normal network traffic.


The Nokia NetGuard Endpoint Security solution has been deployed in a number of major networks around the world and currently monitors network traffic from more than 100 million devices.

Using an integrated malware intelligence database, Nokia NetGuard Endpoint Security correlates suspicious network traffic patterns to known threats. The Nokia Threat Intelligence service also provides proactively the latest malware updates and signatures to confirm that the integrated database is up to date. This ensures that new malware is detected almost instantly, enabling immediate automated actions that proactively reduce problems for subscribers. This peace of mind is very important, given the growing concern for the safety of personal data.

By immediately detecting and reacting to infected devices, communications service providers (CSPs) and enterprises can effectively maintain service quality and limit erosion of their brand due to potential security breaches. These improvements, in turn, can reduce subscriber churn and cut the number of support and customer care calls, resulting in lower operating expenses.

Nokia NetGuard Endpoint Security also has a customized monitoring dashboard that provides detailed infection data in real time. These analytics provide an additional differentiator and a potential revenue source for CSPs. Device security packages can also be developed and monetized, providing security, trust and data protection for consumers and enterprises.

Take a deeper dive:

Report: Googlian – The next generation of the GhostPush family of malwareWebinar: Nokia Threat Intelligence Report – Market UpdateReport: Nokia Threat Intelligence Report – H1 2016

Share your thoughts on this topic by replying below – or join the Twitter discussion with @nokianetworks using #Gooligan #malware #telcosecurity

[1] Statista predicts that there were 2.1 billion smartphones in the world at the end of 2016. They further predict that this number will grow to 2.87 billion by 2020 (…).[2]

Paul Edwards

About Paul Edwards

Paul is a Researcher in the Nokia Threat Intelligence Lab focused on Malware and Attack detection in customer networks. A relentless do’er, Paul’s need to understand and participate in the world around him means you will rarely see him stationary or without an interesting experience to share.

Article tags