Check Point has uncovered a new variety of Android malware that is infecting more than 13,000 devices every day and is the first malware to root more than two million devices since the campaign began.
The malware, dubbed "Gooligan", roots Android devices in order to steal emails and authentication tokens. Attackers can use this information to steal data from Gmail, Google Docs, Google Drive, Google Photos, Google Play and G Suite.
“This theft of over a million Google account details is very alarming and represents the next stage of cyber attacks. We are seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them," says Michael Shaulov, head of mobile products at Check Point.
According to Check Point, it contacted Google 'immediately' and provided information about the malware. Google has contacted affected users, revoked tokens, removed apps from the Ghost Push family on Google Play and added new Verify Apps protection. “We appreciate Check Point's partnership as we've worked together to understand and take action on these issues. As part of our ongoing efforts to protect users from the Ghost Push family of malware, we've taken numerous steps to protect our users and improve the security of the Android ecosystem overall,” says Adrian Ludwig, director of Android security at Google.
The Gooligan code has been around since its insertion in the SnapPea app, discovered last year. The new variant that has been targeting Android devices popped up in August 2016.
Gooligan targets devices running Android 4 (Jellybean and KitKat) as well as Android 5 (Lollipop), which collectively run on 74% of Android devices worldwide.
When users download a Gooligan-infected app on a vulnerable Android device or clicks on malicious phishing links in text messages, the attack begins. Attackers fraudulently download apps on Google Play and rate them on the victim's behalf.
40% of the infected devices are in Asia, and hundreds of the affected accounts have been from enterprise emails, Check Point says.
To help users check if their account has been breached, Check Point is offering a free online tool.
“If your account has been breached, a clean installation of an operating system on your mobile device is required. For further assistance, you should contact your phone manufacturer or mobile service provider,” Shaulov concludes.