More than a million Google accounts have been hijacked by “Gooligan” malware, according to the company and a cybersecurity firm.
“The number continues to rise at an additional 13,000 breached devices each day,” said cybersecurity firm Check Point, which discovered the attack and is working with Google to combat it.
Hundreds of infected accounts belong to businesses rather than individual users, Check Point said Nov. 30.
Gooligan steals authentication tokens — electronic identity codes for users — that “can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more,” according to Check Point.
Infections occurred via “legitimate-looking apps on third-party Android app stores” and could also happen via “phishing scams where attackers broadcast links to infected apps to unsuspecting users via SMS or other messaging services,” Check Point said.
Aside from grabbing users’ authentication information, the criminals behind Gooligan don’t appear to be stealing contents from Play, Photos, Gmail, Photos, Docs, Drive or G Suite, according to Google.
“We used automated tools to look for signs of other fraudulent activity within the affected Google accounts,” Google’s director of Android security Adrian Ludwig said in a Nov. 29 blog post. “None were found.”
Gooligan is used to generate money from the compromised accounts, Check Point and Google said. The malware installs onto compromised devices fraudulent apps from Play, which triggers payment to the malware’s wranglers.
“Every day, Gooligan installs at least 30,000 apps fraudulently on breached devices,” Check Point said.
Gooligan comes from a malware family known as “Ghost Push” composed of “hostile downloaders,” Ludwig said. His team has been tracking Ghost Push malware since 2014, he said. “In 2015 alone, we found more than 40,000 apps associated with Ghost Push,” Ludwig said.
Vulnerable to the malware are users running Android operating systems Jelly Bean, KitKat and Lollipop — about three-quarters of all users, according to Check Point. Nearly 60 percent of infected devices are in Asia, while about 20 percent are in the Americas.
A similar malware campaign last year earned $320,000 a month for cybercriminals, Forbes reported Nov. 30. Check Point’s Michael Shaulov told Forbes he believed the criminals running Gooligan are making about the same amount.
Photo: An attendee takes a selfie in front of Android mascots during the 2015 Google I/O conference. (Justin Sullivan/Getty Images)