Gooligan has compromised and stolen login tokens from over one million Android devices, the malware was first seen in 2014, and initially, it didn’t include the ability to steal Google login tokens.
Since it first appeared, the malware has been detected by different security firms under different names such as Ghost Push, MonkeyTest, and Xinyinhe. In Google reports, you’ll find it referenced as Ghost Push. This malware uses malicious apps hosted third-party app stores to infect users. Once Gooligan has a foothold on an infected device, it contacts an online command and control (C&C) server and downloads a rootkit package that gains boot persistence and also includes four or five Android exploits that root the device.
Anyone running an older version of the Android operating system, including Android 4.x (Jelly Bean, KitKat) and 5.x, (Lollipop) is most at risk, which represents nearly 74% of Android devices in use today. After getting root privileges, Gooligan installs apps from the Google App Store as part of affiliate pay-per-install schemes, gives fraudulent ratings to apps on the Google App Store, and installs adware that clicks on ads for the malware author’s profit.
This is what Gooligan does :
1.Steal a user’s Google email account and authentication token information
2.Install apps from Google Play and rate them to raise their reputation
3.Install adware to generate revenue
Appendix A: List of fake apps infected by Gooligan
Small Blue Point
Puzzle Bubble-Pet Paradise
Wifi Speed Pro
Sexy hot wallpaper
Talking Tom 3
Right now the only way to get rid of this Malware is to re-flash your device.