More than 1 million Google accounts have already been compromised and thousands more are being breached every day by a new malware campaign targeting Android devices running old versions of the operating system, cyber security firm Check Point Software Technologies said Wednesday.
Check Point said it is working with Google’s Security team to address the threat, which has been dubbed “Gooligan.”
A variation of the 2014 “Ghost Push” malware family, Gooligan attacks mobile devices running Android 4 (Jelly Bean and KitKat) and 5 (Lollipop) to gain access. Check Point and Google said Gooligan’s focus is to root devices and generate revenue by fraudulently installing apps from Google Play and rating them using the victim’s credentials.
According to Check Point, the door to infection is opened when a victim downloads and installs a Gooligan-infected app on their Android device, or clicks on malicious links in phishing messages. Check Point said more than 1 million Google accounts have already been compromised, and 13,000 new devices are infected by the malware each day. Over 2 million apps have fraudulently been installed since the campaign began, the firm said. Around 40 percent of impacted devices are in Asia and 12 percent are in Europe, Check Point stated.
While Check Point noted a rooted device could expose a victim’s Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite data, Google said it has not found signs of other fraudulent activity within the affected Google accounts.
Still, given that nearly three quarters of Android devices in use today run Android 4 or 5, Check Point said the threat is incredibly concerning and marks a shift in malware attack strategy.
“This theft of over a million Google account details is very alarming and represents the next stage of cyber-attacks,” Check Point’s Head of Mobile Products Michael Shaulov said. “We are seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them.”
Google Director of Android Security Adrian Ludwig said in a blog post the company has already taken steps to strengthen the Android ecosystem via the deployment of “Verify Apps” improvements and the removal of apps associated with Ghost Push from the Play store. Google said it is also working with the Shadowserver Foundation and several major Internet service providers that provided infrastructure used to host and control the malware to disrupt future attacks.
Additionally, Check Point said it is offering a free online tool that allow users to check if their account has been breached.
“If your account has been breached, a clean installation of an operating system on your mobile device is required,” Shaulov noted. “This complex process is called flashing, and we recommend powering off your device, and approaching a certified technician or your mobile service provider, to re-flash your device.”
