More than one million Google accounts have been breached by malware that infiltrated older Android devices, cyber security firm Check Point Software Technologies Ltd. announced Wednesday.
The researchers traced the malware back to dozens of what they called “legitimate-looking” apps — with names “Wi Fi Enhancer,” “GPS,” “Beautiful Alarm, “Battery Monitor,” and even “Google”— on third-party Android app stores. In general, Google strongly cautions users to download apps only from the official Google Play store to help reduce the risk of accidentally installing malicious software. Attackers also spread the malware via links sent in text messages to unsuspecting users, Check Point said.
This specific malware, nicknamed Gooligan, has been steadily infecting older versions of Android devices since August of this year; Check Point estimates that 13,000 new devices continue to be breached daily.
Once it lives on a user’s Android device, Gooligan exploits known vulnerabilities in the Android operating system to install other apps and malicious software without users’ permission. Using that foothold, attackers can steal users’ email addresses and authentication tokens in order to dive deeper into their extensive personal data stored across Google: Gmail, Google Photos, Google Drive, etc., Check Point said.
“If you download an infected app ... it gets in under the operating system and gives it access to your Google account, which is tied into your Android phone because Android is from Google, and your Google account is from Google, so you’ve kind of handed them [hackers] the keys to the store,” CNET editor Dan Ackerman told CBS News.
Ackerman said only about 20 percent of Android devices are running the latest software updates, so many users are vulnerable when flaws emerge in older versions.
Check Point set up a website where individuals can enter the emails associated with their Android devices to check if their Google accounts were breached. If that’s the case, Check Point recommends users immediately install a new operating system and change their Google passwords.
Check Point reached out to Google’s security team after uncovering the malware and has been working with Google to investigate the massive breach.
“As always, we take these investigations very seriously and we wanted to share details about our findings and the actions we’ve taken so far,” Adrian Ludwig, Google’s director of Android security, said in a statement confirming Check Point’s findings.
Ludwig outlined the steps Google has taken against this latest threat, which include strengthening security to block Android users from installing unverified apps from outside Google Play; deleting apps associated with the malware from affected devices and from Google Play; and working with internet service providers to take down the infrastructure that supports the malware.
Google has contacted all the users known so far to be affected, the company said.