Don’t Let Gooligan Flush Your Google Business Accounts

Mashable and other publications are covering research released from Check Point about a new malware variant known as “Gooligan.”

And this malware could put your business at risk, even if it hasn’t infected your own phone.

If you stick to the Google Play Store, you probably aren’t one of the victims.  The malware came from apps downloaded from third party stores.  But could any of your employees, vendors, and business partners be among the 1 million+ affected?

The possible danger to your business is not the fraudulent apps that my be downloaded to someone’s Android phone.  The malware works by stealing email accounts and the authentication tokens that provide access to Google accounts.  This could include access to any Google My Business, Google AdWords, Google Analytics, Google Tag Manager, and Google Search Console that the stolen account can access.

It’s not only time to check if your own Android phone has been breached (which you can check here).  I’ve seen a lot of bad habits develop over Google account access with SMBs, so this is also a good time to strengthen your business account access.  And if you have just one Google account you share among employees and vendors to access your analytics, advertising, and business listing – this is an excellent time to stop.

Check Your Own Account

Once you verify your Android account is Gooligan-free, head on over to your own Google Security check:

  • Check your recovery information – is everything current?
  • Check your connected devices – recognize every device?  If in doubt, end access.  This is a huge headache if you share this account with others for account access.
  • Check your account permissions – you may be shocked at how much access some apps have.  And again, if you shared this login with others, you may not have a clue what some of these apps are.  Some of them could even be malware.  Make sure you remove ANYTHING that makes you even a tiny bit nervous.
  • Check your app passwords.  There are few apps today with this requirement, and you should delete access if at all possible.

google security checkup

Finally, check your 2-step authentication.  Not using it?  Do you lock your doors at night?  You should.  Do both.

Google Two Factor Authentication

Everyone Needs Their Own Set of Keys

You may have noticed in your security review that there were apps that could access your Google My Business, AdWords, Google Analytics, and other business-related Google products.

I recommend that business owners create a new Google account solely for the purposes of managing API access to third party apps.  I’ve often found accounts with a dozen or more apps with access to business tools that the business owner did not even recognize.  As you do the following security checks, switch the API access over to the new Google account, and then assign the correct level of access to this new account.

This way, if more than one person needs to manage access via these apps, you won’t be sharing your own ownership-level Google account with anyone.

When done properly, there should be no app access to your business account assets from your own personal Google account.

Google My Business

Your GMB listing is the key to your local SEO.   Make sure everyone who has access has the right kind of access.  Review Owners and managers of listings. When you review your security access, you may have granted access to your GMB listings to third-party apps.

Google AdWords

Google AdWords provides multiple ways to grant access to users at different levels.  Any third party or agency who will manage your AdWords account should do so through linking their own AdWords manager accounts via invitation.  An agency should never request access by asking  for your password.

For individuals, you can invite access via email. Only grant the minimum access level (Email-only, Read-only, Standard, Administrative) absolutely needed.

Google Analytics

You can assign access to users for Google Analytics at the Account, Property, or View level.  User access can be set for Read & Analyze, Collaborate, Edit, and Manage Users.  Access is granted by entering the person’s Google account email address. When a third party is setting up your account, they may temporarily need Edit at the Property level to set up your filters; this access may be downgraded one your filters are configured.

Search Console

Formerly known as Webmaster Tools, the Search Console provides access to your organic traffic, search configuration, and other Google Search-related functions.

You manage both user access and application association via the Search Console interface.  Most third parties should require no more than user-level access.

Schedule Security Checkups

You should schedule regular security checkups for yourself, your employees, and your vendors.   And keep up with security-related Google news by reading and subscribing to the Google Security Blog.


And while you’re at it, consider getting you and your team onto a password management tool.  Check out these reviews of 2016’s best password managers at TechRadar.


Leave a Reply