Most people are used to putting anti-virus software on their computer, but here’s a friendly reminder your phone requires protection as well: more than one million Android devices have been infected by a particularly bad bit of malware, according to a report from Check Point Software Technologies.
The team of security researchers have been tracking the family malicious code, which they dubbed Gooligan, that has burrowed its way into Android phones and tablets around the world, including hundreds of enterprise devices.
The infections stem primarily from apps found in third-party app stores, which are often less-regulated alternatives to the Google Play Store that people turn to for free apps. Check Point reported at least 86 apps have been found to have traces of Gooligan, most of which appear legitimate and have been given artificially high ratings in the app store.
Once one of the infected apps is installed onto a user’s device, either from an app store or by clicking a malicious link, it begins collecting data about the device and reporting it to a command and control server—a centralized computer that issues commands to and receives reports from devices.
The malware then downloads a rootkit, which is used to gain unauthorized access to device. Once it has successfully rooted the phone, Gooligan injects code to avoid detection while going about its business. The malware will steal a user’s Google email account and authentication token information, install apps and rate them to raise their reputation, and install adware that generates revenue for the malware creator.
Pretty much anything related to the account on the device could be threatened if it’s infected. If Gooligan successfully steals a user’s authentication token, it can gain access to just about anything Google related—Gmail, Google Photos, Google Docs, Google Play, Google Drive, etc.—without requiring a password to login.
While more than one million devices have already been hit by Gooligan, Check Point reports that figure is increasing by 13,000 users per day. Phones and tablets running versions of Android 4 and 5 —more than 74 percent of active Android devices—are at risk of infection. Check Point called Gooligan, “the largest Google account breach to date.”
Asked for comment on the report, Google directed IBTimes to a Google+ post made by Adrian Ludwig, director of Android security. In the post, Ludwig said Google has worked closely with Check Point to track Gooligan and its variants.
He also notes while the infections may be widespread, there is “no evidence of user data access.” The attacks, Ludwig says, are driven by an attempt to “promote apps, not steal information.”
Despite the promise account information doesn’t seem to be the primary score of the attackers, Google has nonetheless tightened its security protocols. The company has deployed a new security tool to verify the integrity of apps, removed apps with any connection to Gooligan from the Google Play Store, and revoked tokens of compromised accounts.
Users still worried they may be at risk can use Check Point’s Gooligan Checker tool to test if an account has been compromised. If infected, users will have to complete a fresh installation of Android and are advised to change Google account passwords immediately. Users can also install antivirus tools like Check Point’s own ZeroAlarm app to ensure safety.