Software technology firm Check Point has revealed a new type of malware campaign that is described as “alarming”. The company's security research team uncovered the attack and has named it Gooligan. Through the campaign, attackers have breached the security of over one million Google accounts.
The problem is exasperated as more accounts are being breached. Indeed, Check Point says the rate is current 13,000 additional accounts per day. In a blog post, the company says the malware attacks the root of a device and steals authentication tokens. This allows attackers access to a wide range of Google services.
Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and others have been breached already. Check Point had already discovered a similar malware campaign a year ago. The software firm says Gooligan is a new variant of that earlier attack.
“We're appreciative of both Check Point's research and their partnership as we've worked together to understand these issues,” said Adrian Ludwig, Google's director of Android security. “As part of our ongoing efforts to protect users from the Ghost Push family of malware, we've taken numerous steps to protect our users and improve the security of the Android ecosystem overall.”
Gooligan potentially affects devices on Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which is over 74% of in-market devices today. About 57% of these devices are located in Asia and about 9% are in Europe.
The code for the Gooligan malware was discovered hidden within dozens of apps. These apps were created to look legitimate and placed on third-party Android app stores. These are unofficial market places where Google's Play Store security methods are not applied.
In its research, Check Point found “tens” of false apps that carried the malware. A list of the fake apps discovered to date can be found at the source. The company also explains how users can check if their Google account has been breached:
“You can check if your account is compromised by accessing the following web site that we created: https://gooligan.checkpoint.com/.
If your account has been breached, the following steps are required:
- A clean installation of an operating system on your mobile device is required (a process called “flashing”). As this is a complex process, we recommend powering off your device and approaching a certified technician, or your mobile service provider, to request that your device be “re-flashed.”
- Change your Google account passwords immediately after this process.”