Various outlets have reported that software designed to attack Android smartphones may have breached as many as one million Google accounts.The malware accesses email account information and authentication tokens. It then uses these tokens to install and run apps that generate fraudulent ad revenue.
There is no evidence currently suggesting that the attacks have gone after personal information. However, cyber security firm Check Point estimates that as many as two million apps have been installed in this manner over the past three months.
In addition to inflating app installation numbers, which allows for charging higher advertising rates, the malware also forces infected devices to leave positive reviews, which creates a higher rating on Google Play.
Check Point also reported that the malware, dubbed Gooligan, targets devices running Android 4.0 (Jelly Bean and KitKat) and 5.0 (Lollipop), which represents nearly 74 percent of mobile devices using the Google-powered operating system. The attacks can steal email addresses and authentication data stored on the devices to access Gmail, Google Photos, Google Docs and other services.
Check Point reported these details to Google, and has set up a site where Android users can check to see if their device is infected at https://gooligan.checkpoint.com/.
The firm stated that its researchers discovered Gooligan's code in an application last year and that a new variant appeared in August 2016, affecting some 13,000 devices per day. About 57 percent of those devices are located in Asia and about nine percent are in Europe.
The infection begins when a user downloads and installs a Gooligan-infected app on an Android device. These apps could come from a third-party app store or downloaded by tapping malicious links in phishing messages. After an infected app is installed, it sends data about the device to the campaign’s Command and Control server. This opens the door for the malware to be downloaded on the device, accessing Google user information and initiating its attack.