Over 1 million Android devices have been infected with malware that steals email information and authentication tokens and gains access to personal details and files, an Israeli security firm said Wednesday.
Check Point Software Technologies discovered the code, named Gooligan, which is an aggressive variation of the “Ghost Push” family of Potentially Harmful Apps. Check Point immediately contacted the Google Security team, and the two groups are working together to find the source of the virus and remove the threat, the firm said.
Check Point did not say if any specific group was suspected of being behind the hack.
In a blogpost published Wednesday the Check Point Research Team said Gooligan was likely “the largest Google account breach to date.”
“We are working with Google to continue the investigation. We encourage Android users to validate whether their accounts have been breached,” the company said.
In a statement Google said that there is “no evidence of user data access… The motivation behind Ghost Push is to promote apps, not steal information, and that held true for this variant.”
The malware can affect machines running Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which comprise over 74% of Andriod users.
The program steals authentication from infected devices which can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive and others.
“This theft of over a million Google account details is very alarming and represents the next stage of cyberattacks,” said Michael Shaulov, Check Point’s head of mobile products.
“We are seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them.”
Check Point said researchers discovered Gooligan’s code in an application last year and that a new variant appeared in August 2016, affecting some 13,000 devices per day. About 57 percent of those devices are located in Asia and about 9% are in Europe.
The malware sneaks into devices by hiding in legitimate-looking apps downloaded from third-party sites. Once on a machine it looks to exploit weaknesses within the operating system. If the malware is successful the attacker has full control of the device.
Once it has control of the device the malware installs software from Google Play and leaves a positive review and a high rating on Google Play, generating revenue for the hackers behind the virus.
Check Point created a website, https://gooligan.checkpoint.com, where concerned Android users can check if their device has been compromised. Their site also has a list of over 80 apps that may contain the malware.
If a device is infected with the malware it requires a clean installation of the operating system, something best done by a certified technician or service provider, Check Point said.
In addition the user should change their Google account passwords immediately after the process, they advised.
AFP contributed to this report