Malware called Gooligan breached the security of more than 1 million Google accounts, initially spreading through “tens of fake apps”, according to security firm Check Point.
Gooligan potentially affects devices using older (but still common) versions of Android, including Jelly Bean, KitKat and Lollipop. The majority of such devices (57 per cent) are in Asia, with 9 per cent in Europe.
Check Point added that the campaign is attacking 13,000 additional devices each day.
The firm found that every day Gooligan installs at least 30,000 apps fraudulently on breached devices, totalling more than 2 million apps since it began.
According to Adrian Ludwig, director of Android security at Google, the tech giant has investigated the case and found no evidence of user data access.
He said Google is working to strengthen the Android ecosystem security and recommends users update their devices to ones that support newer Android software.
Google is also working with the internet service providers that provide infrastructure used to host and control the malware.
“Taking down this infrastructure has disrupted the existing malware, and will slow the future efforts,” Ludwig said.
How it works
Gooligan roots infected devices and steals authentication tokens that can be used to access data from services including Google Play, Gmail, Google Photos, and Google Docs.
It uses Google credentials to generate fraudulent installs of other apps.
CheckPoint explained it found traces of the Gooligan malware code in dozens of legitimate-looking apps on third-party Android app stores, which are an “attractive alternative” to Google Play because many of their apps are free, or offer free versions of paid apps.
However, the security of these stores and the apps they sell aren’t always verified. Gooligan-infected apps can also be installed using phishing scams where attackers broadcast links to infected apps to unsuspecting users via SMS or other messaging services.