Android malware Gooligan breaches over 1 million Google accounts

An Android malware has infected over 1 million Google accounts with the number of affected devices rising to 13,000 a day, says cybersecurity firm Check Point Software Technologies Ltd.

Check Point said in a statement it has found traces of the malware Gooligan in dozens of legitimate-looking apps on third-party Android app stores. These stores serve as alternatives to Google Play because they offer free versions of paid apps.

The malware spreads through fake apps such as 'GPS Speed', 'YouTube Downloader' and 'Clean Master'. The security firm has released a list of such fake infected apps and has also launched a new tool where users can check if an account is compromised.

Check Point and Google are working together to investigate the source of the malware.

"We're appreciative of both Check Point's research and their partnership as we work together to understand these issues," said Adrian Ludwig, Google's director of Android security. "As part of our ongoing efforts to protect users from the Ghost Push family of malware, we've taken numerous steps to protect our users and improve the security of the Android ecosystem overall."

Check Point first discovered Gooligan last year in the malicious SnapPea app. Gooligan was part of a mobile malware campaign targeted at Android devices and was attributed to malware families Ghost Push, MonkeyTest and Xinyinhe. "By late 2015, the malware's creators had gone mostly silent until the summer of 2016 when the malware reappeared with a more complex architecture that injects malicious code into Android system processes," it said.

The Android smartphones most vulnerable to the malware are those running on Jelly Bean, KitKat and Lollipop versions, which comprise 74% of in-market devices. Around 57% of these devices are in Asia and 9% in Europe.

The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device. The security firm says that Gooligan-infected apps can also be installed using phishing scams where attackers broadcast links to infected apps to unsuspecting users via SMS or other messaging services.

The malware steals the Google authorisation token, which can be used to access all the Google services related to the user, including Google Play, Gmail, Google Docs, Google Drive and Google Photos. It installs apps from the Google Play Store to rate them and installs adware to generate revenue, Check Point said.