Android malware infects over one million Google accounts

New Android malware called Gooligan has breached the security of more than one million Google accounts, according to Check Point Software Technologies.

The malware roots Android devices, stealing the email addresses and authentication tokens stored on them.

After attackers gain control of the device, they generate revenue by fraudulently installing apps from Google Play and rating them on behalf of the victim.

Check Point found that the campaign is infecting 13,000 devices each day and has been the first to root over one million devices.

“This theft of over a million Google account details is very alarming and represents the next stage of cyber attacks,” said Michael Shaulov, Check Point’s head of mobile products.

“We are seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them.”

Every day Gooligan installs at least 30,000 apps on breached devices, or over 2 million apps since the campaign began.

Check Point reached out to the Google security team immediately with information on this campaign.

“As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall,” said Adrian Ludwig, Google’s director of Android security.

Among other actions, Google has contacted affected users and revoked their tokens, removed apps associated with the Ghost Push family from Google Play and added new protections to its Verify Apps technology.

Check Point’s mobile research team first encountered Gooligan’s code in the malicious SnapPea app in 2015. In August 2016, the malware reappeared with a new variant, with about 40% of infected devices located in Asia and about 12% in Europe. Hundreds of the exposed email addresses are associated with enterprises around the world. The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device, or by clicking on malicious links in phishing attack text messages.

Check Point is offering a free online tool that allows users to check if their account has been breached.

“If your account has been breached, a clean installation of an operating system on your mobile device is required. For further assistance, you should contact your phone manufacturer or mobile service provider,” said Shaulov.

Image credit: ©stock.adobe.com/au/Nmedia