Recently Discovered Android Malware Allows Access to Google Accounts, Now Affects over 1 Million Devices

A new app-installing malware campaign has affected over 1 million Android devices since it launched in August, according to a new report.

The malware, dubbed “Gooligan,” is reportedly infecting Android devices at a rate of 13,000 a day. Although it’s been around for several months, it was only just unveiled as a significant threat by cyber security firm Check Point. The malware is currently affecting devices with Android Jelly Bean, Kit Kat or Marshmallow installed — versions of the Android platform with known Linux kernel vulnerabilities. Helpfully, Check Point has published a list of compromised apps.

Gooligan works by collecting device data, including download rootkits. It steals email account information and authentication tokens, and injects malicious code into Google Play to download fraudulent apps, according to a Check Point blogpost. The malware can be inadvertently downloaded by users from a third-party app store, or by a phishing campaign. Worryingly, by compromising the device’s authentication tokens, Gooligan can provide attackers access to a user’s Gmail, Google Drive, G Suite and Google Play accounts.

The malware does not seem to be accessing users’ personal emails, files or data, however. The Android Security Team has reportedly scanned affected accounts, and didn’t find any evidence of the authorization tokens being used for fraud. Instead, the attackers seem to be using the malware to boost Google Play rankings — Gooligan uses its power to leave five-star reviews for the non-malicious apps that it automatically downloads.

Hackers exercising malware to enhance their app store ratings isn’t a new concept — a similar campaign was found to be affecting Android devices earlier this year. One of the problems with this type of malware, however, is that they can frequently avoid Google scans for malicious apps — as the apps that are being fraudulently ranked aren’t harmful themselves, The Verge reported.

Another issue with the Gooligan campaign is that, while malware is typically defeated by software updates, the Linux kernel vulnerabilities have already been patched by Google in the past few years. If you stick to using Google Play, for example, you should be safe from the malware — but the Android ecosystem is fragmented. More than half of the compromised devices are in Asia — possibly due to the popularity of third-party app stores in the region and the lack of Google Play support in China. Devices running older versions of Android without the Google Play app installed could also be at risk, Engadget reported.

If you’re concerned about the malware, Check Point has developed a web tool that can detect whether Gooligan has compromised your account.