New Android malware breaches over a million Google accounts

Researchers at cyber security company Check Point have uncovered a new malware variant that has breached more than a million accounts and is infecting over 13,000 Android devices a day.

Called Gooligan, the malware roots Android devices and steals email addresses and authentication tokens stored on them. With this information, attackers are able to access users' sensitive data from Gmail, Google Photos, Google Docs, Google Play, and G Suite.

It also generates revenue for the criminals by fraudulently installing apps from Google Play and rating them on behalf of the victim. Gooligan is installing 30,000 apps daily on breached devices, accounting for over 2 million apps since the campaign began.

"This theft of over a million Google account details is very alarming and represents the next stage of cyber attacks," says Michael Shaulov, Check Point's head of mobile products. “We are seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them".

Gooligan, part of the Ghost Push malware family, targets devices running Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which together represent almost 74 percent of Android devices currently in use.

In response to Check Point's findings, Google has contacted affected users and revoked their tokens, removed apps associated with the Ghost Push family from Google Play, and added new protections to its Verify Apps technology.

Check Point has launched a free online tool that can be used to check if your device has been breached. If you are unlucky enough to have been affected the company recommends performing a clean install of the device’s operating system.

Image Credit: Paul Michael Hughes/Shutterstock