New malware hacks Google accounts

The new malware campaign called Gooligan rooted Android devices and stole the email addresses and authentication tokens stored on them. This information allowed attackers to access sensitive data of users of Gmail, Google Photos, Google Docs, Google Play, and G Suite, it says.

"This theft of over one million Google account records is unprecedented and represents the next level of cyberattacks," says Michael Shaulov of Check Point. "We're seeing a shift in strategy from hackers who are now targeting mobile devices to get at sensitive data stored on them."

Key findings:

• The campaign infects 13,000 devices a day and is the first to root over one million devices.

• Hundreds of the email addresses are associated with corporate accounts worldwide.

• Gooligan targets devices on Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which account for nearly 74 percent of Android devices in use today.

• Attackers earn their revenue by fraudulently installing apps from Google Play and rating them on behalf of the victim after gaining control of the device.

• Every day, Gooligan installs at least 30,000 apps on hacked devices, or over 2 million apps since the campaign began.

Check Point immediately reached out to Google's security team with information about the campaign. Along with other measures, Google contacted the affected users and revoked the tokens; removed the apps associated with the Ghost Push family from Google Play; and built new protections into their Verify Apps technology, according to Google.

Online tool for testing

Check Point offers a free online tool, which allows Android users to check if their account has been hacked. "If it turns out that your account has been hacked, a proper installation of an operating system on the mobile device is required. This complex process is called flashing, and we recommend turning off the device and contacting a certified technician or mobile service provider who will re-flash the device," Shaulov adds.

Source: Check Point