One of the largest breaches ever of Google accounts was uncovered on Wednesday, with cyber criminals reportedly infecting more than one million Android phones worldwide, stealing credentials and installing malicious software.
Uncovered by security software company Check Point, the attack is dubbed “Gooligan” and continues to infect over 13,000 phones every day. The company believes the breach to be the largest Google account breach to date.
The malware comes from third-party applications installed outside of Google’s Play Store, and only affects phones running on version four and version five of the Android operating system. The current version of Android is version seven, but due to many manufacturers’ sluggish update schedules, about 74% of Android users are still operating on those older versions.
Once installed, the malware uses an exploit only found in older Android versions, allowing the malicious applications to grant full access to all the phone’s functions, commonly known as “root access”.
Once root access is granted, the malware can then access all functions of the user’s Google accounts, including Gmail, Google Docs, Google Photos, and Google Drive. Check Point notes that “hundreds” of the compromised accounts are associated with enterprise accounts.
Alongside gaining this access, the malicious software downloads apps and fraudulently reviews them, gaining revenue from ad services that pay for app reviews. The device is also infected with “adware”, which displays unwanted advertising to the user, again generating revenue.
Check Point alerted Google to the issue, which responded by removing fraudulently reviewed apps from the Google Play Store, and protecting Google accounts that were compromised. It is believed that Gooligan is a form of Ghost Push malware—malicious software that Google has been working to eradicate for over two years.
“We’re appreciative of both Check Point’s research and their partnership as we’ve worked together to understand these issues,” said Adrian Ludwig, Google’s director of Android security in a statement to Check Point.
“As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall.”
Check Point detected 57% of breaches to have occurred in the Asia region, with 19% occurring in the US. Users can check if their Google account is compromised by using Check Point’s tool here.
Review your cyber security
Android users are advised to steer clear of apps that are not available in the Google Play Store, and to be wary of suspicious looking links.
And it’s another reminder to SMEs to be vigilant when it comes to cyber security, even for things as simple as updating old and outdated passwords.
In June this year, Facebook founder Mark Zuckerberg had his Twitter account compromised, and it was revealed that his password was “dadada”.
At the time, cyber security expert Michael McKinnon told SmartCompany passwords should be at minimum 12 characters in length, have uppercase and lowercase letters, and include at least one digit and symbol.
“If you can stick to these rules, you’re virtually uncrackable,” McKinnon said.
“Ideally you want a 50-character string of random numbers and letters, but we’re all human and remembering that would be hard.”