Android malware steals over one million Google accounts

Android’s overall security “hasn’t measurably improved” since 2012, said Dave Aitel, chief executive of cybersecurity firm Immunity Inc.

A device infected by Gooligan is potentially granting access to data stored in any of Google’s applications including Google Docs, Google Drive, Google Photos, Gmail and Google Play. It might work most of the time, but it also exposes you to malware and, in this case, very unsafe malware that can gain access to your entire Google account. Checkpoint officials estimate that accounts for almost 74 percent of Android users. Authentication tokens confirm a successful long into various apps and services.

According to researchers from Check Point Software Technologies, an Android malware has compromised over one million Google accounts. To monetize all these phones that have been hacked, the attackers are showing tons of ads in these fake apps, and Check Point says that as many as 30,000 of these are being downloaded daily. The malicious code appears to affect devices running Android 4 (in versions known as Jelly Bean and KitKat) and Android 5 (Lollipop). Of the 1 million breached Google accounts cited in the Check Point report (that number was subsequently revised to 1.3 million), 57 percent are located in Asia, and 19 percent are based in America.

Android devices at risk for infection by Gooligan.

Users must flash a clean version of Android software onto their smartphones.

Google did not immediately respond to an AFP query.

Googlian is originally situated in apps found in Android third-party app stores. The goal is not to steal your data (although that can still happen), but to make you download apps in an advertising fraud scheme. Update your device to the latest Android software (Android 6.0 Marshmallow or Android 7.0 Nougat) if possible.

Security firm Check Point was able to trace this server and uncovered 1.3 million Google accounts.

Check Point recommended in a blog post that people who suspect their devices may have been compromised (seen unusual pop-up ads on your phone lately?) should check to see whether their account has been breached by entering their email addresses at the following website: https://gooligan.checkpoint.com/.

Gooligan spreads via apps from third-party app stores and malicious links in phishing attack messages. The search giant is also continually removing apps associated with the Ghost Push family on Google Play, as well as apps that have “benefitted from installs delivered by Ghost Push to reduce the incentive for this type of abuse”. They’ve nicknamed the hacking campaign “Gooligan”. The company also said that it worked with multiple ISPs to disrupt the malware’s infrastructure to slow down future efforts of infecting users.