By Robert McMillan
Malicious software disguised as legitimate apps for Android smartphones and tablets has seized control of more than
one million Google accounts since August, according to research from security firm Check Point Software Technologies
The apps had innocent-sounding names, such as StopWatch, Perfect Cleaner and Wi-Fi Enhancer. But they exploited
known flaws in older versions of the Android operating system to take control of devices and install other apps and ad-
spewing software without permission. Some of the unauthorized apps also used the victim's user name and password to post
Users whose devices have been infected see pop-up ads and unwanted software, said the Israel-based security firm.
Gooligan is a variant of malicious software known as Ghost Push, which has been giving Android users headaches for
two years. Google, a unit of Alphabet Inc., last year tracked more than 40,000 Ghost Push apps.
"We appreciate Check Point's partnership as we've worked together to understand and take action on these issues," a
Google spokesman said on Tuesday.
Check Point researchers shared their findings with Google and worked closely with the company to develop techniques
to fix infected devices, a Check Point spokeswoman said. "We continue to work with Google today to discover who or what
group is responsible for the Gooligan campaign."
Google said it has removed apps associated with Ghost Push from Google Play. It has also taken steps disrupt the
servers used by the malware's creators and to secure Google accounts compromised by the malicious software.
Although the free apps offered by alternative stores can be enticing, they come with risks, Google said. In a
Google+ post, the company urged users to download only from the Play store.
Devices at risk from the Gooligan software are those using Android 4 (the versions nicknamed Jelly Bean or KitKat),
initially released in 2012, or Android 5 (Lollipop), released in 2014, Check Point said.
Users wondering if their devices have been compromised can visit Check Point's site for a mobile-phone checkup and
to learn more.
Gooligan thrives on an increasingly serious Android problem: Users don't update their operating systems, leaving
their smartphones and tablets vulnerable to attacks that exploit known software bugs.
Android's overall security "hasn't measurably improved" since 2012, said Dave Aitel, chief executive of
cybersecurity firm Immunity Inc. "It's been a long time since everybody has been telling Google that they have a serious
problem with the ecosystem and lack of updates."
Because control over software updates lies in the hands of users, carriers, and phone manufacturers, there is no
single entity that can mandate a widespread software update, he said.
A Google spokesman said the company has taken steps recently that have significantly reduced the chances of Android
users installing malicious software, including full disk encryption for Android devices, a bounty program that pays
security researchers when they find new bugs, and new technology that makes web browsing safer on Android.
According to Google, 73% of Android users are on the Jelly Bean, KitKat or Lollipop Android releases. Fewer than
25% are on newer Android versions, including Marshmallow, released last year, and Nougat, released this year.
Although the malicious software has infected more than one million Google accounts, that is a small percentage of
the more than 1.4 billion devices that run on Android software.
Write to Robert McMillan at Robert.Mcmillan@wsj.com
(END) Dow Jones Newswires
Copyright (c) 2016 Dow Jones & Company, Inc.