The battle against Android malware is ongoing, but it's a big world and Android is everywhere. It presents a tempting target for criminals, and the Gooligan malware is just the latest attempt to make a buck off the trusting nature of smartphone users. This attack has compromised more than a million phones in the last few months, and as many as 13,000 new infections are occurring each day. The goal is not to steal your data (although that can still happen), but to make you download apps in an advertising fraud scheme.
A Gooligan infection starts with downloading an infected app from a third-party app store. Gooligan is a variant of Ghost Push, which Google has been aware of since last year. It only works on versions of Jelly Bean, KitKat, and Lollipop—all newer versions are patched. Upon being installed by the user, it downloads a root exploit like Towelroot to gain full access to the device. The malware copies the user's account token and sends it to a remote server, giving the malware authors full access to the account data.
Security firm Check Point was able to trace this server and uncovered 1.3 million Google accounts. It does not appear the cyber criminals have done anything with all that user data yet. Instead, they are using the malware to inject code into the Play Store and download apps. They earn money from the ads in garbage apps like "Fast Cleaner" and "WiFi Accelerate." As many as 30,000 apps are being downloaded by infected devices every day, according to Check Point. The attackers are also leaving automated fake reviews on these apps in the Play Store.
The rate at which Gooligan is spreading is extremely high, but Google and Check Point are working together to deal with the threat. A tool has been released for users to scan their phones for infection, and Google has reset the account tokens for compromised accounts. Apps associated with Gooligan activity have also been pulled from the store. If you've got an older device, it's probably a good idea to avoid installing any random APKs you find online.