A new variant of Android malware is what’s believed to be responsible for the biggest single theft of Google accounts on record. The malware strain has infected as many as 1.3 million Android phones since August, taking complete control of data accessed by the users. Its main aim, though, is not to pilfer all that juicy data in Gmail or Docs, but to force users into downloading apps as part of a huge advertising fraud scheme while making huge bucks.
According to researchers from Check Point, Gooligan is spreading at an alarming rate. Recently it has been racking up an average of 13,000 new infections every day. The malicious software first gains access on devices when users visit a website and download a third-party app.
Once downloaded, Gooligan determines which Android phone it’s infected and launches the suitable options to “root” the device which means taking complete control over it. The attackers use VROOT and Towelroot, on devices running Android 4 through 5, including Jelly Bean, KitKat and Lollipop. The phones using these operating systems are about 74 % of Android devices in use today, around 1.03 billion. About 40% of infections are in Asia, 19 % in America, most of which are in North America and 12 % are in Europe.
Previous multi-million leaks of Google accounts have proven false, most notably in 2014 when just two per cent of 5 million allegedly real logins leaked on the dark web turned out to work on active accounts, and in 2016 when only 460,000 of 23 million published online were deemed legitimate.
The attackers force victims to download and provide positive reviews to apps on Google Play, which generates an illicit revenue stream as the hackers also run advertisements within the applications. Every download and every click on the ad adds a small amount to the attackers’ reserves.
What happens once the phone is Infected
Once Gooligan has control of the phone, the victim’s Google account token is siphoned off to a remote server and might be used to gain access to their Gmail, Docs, Drive, Photos and other data, even where two-factor authentication is turned on. Check Point’s researchers were able to trace that server, uncovering a stash of 1.3 million real Google accounts. Looking at server logs, they were also able to determine as many as 30,000 apps were being downloaded every day by infected phones, reaching a total of 2 million so far. Hundreds of businesses’ Google accounts have been hit too, Check Point warned.
How to find out if your device is infected
If you have been downloading apps from sources apart from the official Play Store, and want to check if your account is compromised you can do so at the web site
If your account has been breached, take the following steps to debug your device:
- Power off your device and go to a certified technician, or your mobile service provider, to get your device “re-flashed” which is clean installation of an operating system on your mobile device
- Change your Google account passwords immediately after this process.