More than one million phones powered by older versions of Google’s Android operating system have been infected by a malware known as Gooligan.
The insidious malware targets phone owners’ Google accounts and an additional 13,000 handsets are breached each day, Security firm Check Point is reporting. At risk are those whose phones run Android 5.1 and older. The majority of breached accounts come from Asia.
“We believe that it is the largest Google account breach to date,” reads a Check Point blog post.
“Our research exposes how the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.”
Gooligan is disguised as real Android apps in third-party app stores. So far, Check Point has discovered 86 apps containing the malware.
Once a Gooligan-infected app is installed, it roots the device by exploiting vulnerabilities in Android’s older versions.
Gooligan is able to steal a user’s Google e-mail account and authentication token information, install apps from Google Play and rate them to raise their reputation and install adware to generate revenue.
“Ad servers, which don’t know whether an app using its service is malicious or not, send Gooligan the names of the apps to download from Google Play. After an app is installed, the ad service pays the attacker. Then the malware leaves a positive review and a high rating on Google Play using content it receives from the C&C server,” Check Point writes.
“Our research team was able to identify several instances of this activity by cross-referencing data from breached devices with Google Play app reviews. This is another reminder of why users shouldn’t rely on ratings alone to decide whether to trust an app.”
Check Point said it is working with Google to investigate Gooligan. It is recommended that Android users check their account security.