Hackers have in a matter of months compromised more than 1 million Google accounts as part of a lucrative fraudulent advertising scheme involving malicious app downloads, according to a new report by Check Point Software Technologies
, an Israeli cybersecurity firm.
Peopleâ€™s devices became infected after they installed innocent-looking, albeit booby-trapped software from app stores outside Googleâ€™s
authorized Play store. The malware took complete control of their devices at the root, or deepest level, stealing tokens that Google cloud servicesâ€”such as Gmail, Google Photos, and Google Docsâ€”use to authenticate users.
Since August, the fraudsters made off with 1.3 million tokens with an average of 13,000 new phone infections per day, Check Point researchers found. The attackers reportedly used their foothold in the devices to install additional apps and ad software as well as to post fake reviews and ratingsâ€”all to generate hundreds of thousands of dollars in bogus ad revenue per month.
Get Data Sheet, Fortuneâ€™s technology newsletter.
â€œThey were able to get to the lowest level of the Android operating system where there are no limitations on what the malware can do, and then they went after these account files,â€ said Michael Shaulov, head of mobile products at Check Point, referencing the million-plus stolen Google account credentials. â€œItâ€™s probably the biggest ever security breach of Google accounts.â€
Shaulovâ€™s team discovered the extent of the security breach after a strange piece of malware tripped an alert in Check Pointâ€™s mobile security product a month ago, he said. The team then began working working with Google to investigate the incident.
Despite having pilfered a vast cache of Google account credentials, the hackers did not appear to access data on Google services other than the Play store, Google said.
â€œWe used automated tools to look for signs of other fraudulent activity within the affected Google accounts,â€ wrote Adrian Ludwig, director of Android security at Google, in a Google Plus blog post addressing the compromise. â€œNone were found.â€
The attackers, in other words, could have used the credentials to pore over peopleâ€™s email messages, or to hold peopleâ€™s photo libraries for ransom. Instead, they appear to have stuck to ad fraud.
For more on advertising, watch:
The malicious software, dubbed â€œGooligan,â€ belongs to a family of malware called â€œGhost Push,â€ which Google has been tracking for two years, Ludwig said. Google discovered more than 40,000 apps related to the scam last year, the company noted in a recent security report.
Check Point researchers have found 86 apps infected with the malware bearing innocuous names like â€œWifi Master,â€ â€œLight Browser,â€ and â€œFlashlight Free.â€ About three-quarters of all Android devices on the market today are vulnerable, specifically those running operating system versions 4 through 5, dubbed Jelly Bean (4.1 to 4.3.1), KitKat (4.4 to 4.4.4), Lollipop (5.0 to 5.1.1), Check Point said.
Check Point recommended in a blog post that people who suspect their devices may have been compromised (seen unusual pop-up ads on your phone lately?) should check to see whether their account has been breached by entering their email addresses at the following website: https://gooligan.checkpoint.com/.
Check Point further recommended that victims reinstall the operating system on their phones, hiring a technician to â€œflashâ€ the deviceâ€™s memory, since a standard factory reboot is not enough to remediate the issue. Immediately following that, customers should change their Google passwords, the company said.
Google, for its part, recommended that customers download the latest Android software updates and stay away from unauthorized app stores to prevent future compromises. The company said it is working to take down the attackersâ€™ infrastructure, to eliminate malicious apps from its stores, and to resecure customersâ€™ compromised accounts.
Asked who was behind the campaign, Check Pointâ€™s Shaulov said he hoped to be able to share an attribution in a weekâ€™s time. â€œRight now we understand who we believe is involved, but we want to nail down who exactly is behind this,â€ he said.