The infection begins when a user installs a Gooligan-infected app on a vulnerable Android device.
After achieving root access, Gooligan downloads a new, malicious module from the C&C server and installs it on the infected device. This module injects code into running Google Play or GMS (Google Mobile Services) to mimic user behavior so Gooligan can avoid detection, a technique first seen with the mobile malware HummingBad. The module allows Gooligan to:
- Steal a user’s Google email account and authentication token information
- Install apps from Google Play and rate them to raise their reputation
- Install adware to generate revenue