Researchers from security firm Check Point Software Technologies say they’ve uncovered a new variant of Android malware, breaching the security of more than one million Google accounts.
The new malware campaign, named Gooligan, roots Android devices and steals email addresses and authentication tokens stored on them. With this information, attackers can access users’ sensitive data from Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite, the company announced.
Check Point said that apps infected with the malware and installed on an Android device use exploits in Android versions 4 and 5 to access “full control of the device and can execute privileged commands remotely.” Gooligan targets devices on Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which represent nearly 74% of Android devices in use today.
“After achieving root access, Gooligan downloads a new, malicious module from the [campaign’s Command and Control] server and installs it on the infected device,” Check Point wrote. “This module injects code into running Google Play or GMS [Google Mobile Services] to mimic user behavior so Gooligan can avoid detection, a technique first seen with the mobile malware HummingBad.”
“This theft of over a million Google account details is very alarming and represents the next stage of cyber- attacks,” said Michael Shaulov, Check Point’s head of mobile products. “We are seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them.”
Here’s how to check if your device is infected
Check Point is offering a free onlinetool that allows users to check if their account has been breached.
“If your account has been breached, a clean installation of an operating system on your mobile device is required. For further assistance, you should contact your phone manufacturer or mobile service provider,” advises the company.