Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0290: Gooligan

Gooligan is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. Gooligan has been described as part of the Ghost Push Android malware family. [1] [2] [3]

MobileS0290MalwareObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Gooligan matters because it shows how mobile malware can turn a compromised Android device into an identity and data-access problem. The ATT&CK description states that it runs privilege-escalation exploits and uses elevated privileges to steal authentication tokens that can access data from many Google applications. For leaders, the key issue is not only infected phones; it is whether mobile compromise can bypass normal account controls by abusing existing tokens and then create downstream cloud and business-data exposure.

Executive priority

Prioritize this as a mobile identity-risk scenario. Executives should ask whether Android devices that access corporate Google applications are enrolled, patched, monitored, and removable from trusted access when compromise is suspected. This behavior supports budget and control decisions around mobile device management, mobile telemetry, token/session revocation procedures, and incident response playbooks for account exposure originating from endpoints rather than passwords. Because ATT&CK provides no official detection text or current exploitation claim, local exposure should be assessed through device inventory, Android version posture, Google application access patterns, and incident readiness evidence.

Technical view

For SOC, detection engineering, and IR teams, validate coverage around the related behaviors: T1404 Exploitation for Privilege Escalation on Android, T1533 Data from Local System involving sensitive local data such as authentication tokens, and T1643 Generate Traffic from Victim. Since ATT&CK does not provide detection guidance for this malware, teams should focus on whether they can observe Android privilege-escalation indicators, unexpected root/elevated behavior, suspicious access to token or application data stores, and unusual outbound web or SMS-like traffic generated by a device. IR teams should confirm they can correlate mobile device health with Google account/session activity and revoke tokens or remove device trust when needed.

Likely telemetry

  • Android device inventory, OS version, patch level, enrollment, and compliance state
  • Mobile security or EMM/MDM alerts for rooting, privilege escalation, suspicious app behavior, or device compromise
  • Application installation provenance and changes to high-risk permissions
  • Local device indicators related to unauthorized access to application data, authentication tokens, or protected storage
  • Google account and application access logs showing session use, token activity, or anomalous device access where available

Detection direction

  • Do not treat password-based account monitoring as sufficient; this object specifically highlights stolen authentication tokens after privilege escalation.
  • Validate whether Android devices with access to business Google applications are covered by telemetry capable of identifying rooted or privilege-escalated states.
  • Tune for combinations of weak signals: newly suspicious Android app behavior, elevated privileges, access to local application data, and unusual outbound traffic from the same device.
  • Account for false positives from legitimate device administration, testing devices, developer phones, or user-approved apps with broad permissions.
  • Check blind spots around personally owned or unmanaged Android devices, devices outside MDM enrollment, and cloud sessions that persist after a mobile device is suspected compromised.

Mitigation priorities

  • Maintain an accurate inventory of Android devices that can access corporate Google applications and require appropriate enrollment or access controls for business use.
  • Prioritize Android patching and device compliance enforcement because the described behavior depends on privilege escalation exploits.
  • Limit trust in devices showing rooted, compromised, or noncompliant states, especially for access to sensitive Google application data.
  • Prepare IR procedures for mobile-origin identity compromise, including token/session revocation, device quarantine or unenrollment, and user account review.
  • Review application installation controls and user guidance to reduce exposure to untrusted Android apps.
Analyst notes and limits

The supplied ATT&CK object identifies Gooligan as Android malware associated in references with Ghost Push and describes privilege escalation followed by theft of authentication tokens used for Google applications. It also relates the malware to privilege escalation exploitation, local data access, and victim-generated traffic. The strongest defensive value is in validating mobile-to-cloud identity controls and telemetry rather than looking for a single ATT&CK-provided analytic.

ATT&CK provides no official detection section, no explicit tactics, no aliases, and no supplied indicators of compromise in the provided fields. This take therefore avoids claims about active exploitation, attribution, prevalence, or guaranteed detection. Environment-specific logs, mobile management coverage, Google application logging, and device ownership models are required to determine actual risk and coverage.

Official MITRE ATT&CK definition

Gooligan

Gooligan is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. Gooligan has been described as part of the Ghost Push Android malware family. [1] [2] [3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

3 rows
Domain ID Name Relationship / procedure
Mobile T1643 Generate Traffic from Victim

Gooligan can install adware to generate revenue.CitationGooligan Citation
Mobile T1533 Data from Local System

Gooligan steals authentication tokens that can be used to access data from multiple Google applications.CitationGooligan Citation
Mobile T1404 Exploitation for Privilege Escalation

Gooligan executes Android root exploits.CitationGooligan Citation
Relationship explorer

All related ATT&CK context

uses · Technique T1643: Generate Traffic from Victim Mobile uses · Technique T1533: Data from Local System Mobile uses · Technique T1404: Exploitation for Privilege Escalation Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
cf4ae7a46c40ed96...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle cf4ae7a46c40…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Gooligan Citation

    Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.

    Open source URL
  2. [2]
    Ludwig-GhostPush

    Adrian Ludwig. (2016, November 29). The fight against Ghost Push continues. Retrieved December 12, 2016.

    Open source URL
  3. [3]
    Lookout-Gooligan

    Lookout. (2016, December 1). Ghost Push and Gooligan: One and the same. Retrieved December 12, 2016.

    Open source URL
  4. [4]
    Ghost Push

    Gooligan has been described as being part of the Ghost Push Android malware family. (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)

  5. [5]
    Gooligan

    (Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)

  6. [6]
    mitre-attack S0290
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use