Over one million Google accounts have been breached after a malware called Gooligan started spreading like wildfire through third-party Android app stores. Compromised accounts are then used to post fake ratings for malicious apps and to download adware onto infected devices. Even enterprise accounts have been affected. Here's how you can check if your Google account has been compromised.
Dozens of fake apps carrying the Gooligan malware downloads rootkits onto infected devices that use Android Jelly Bean, KitKat and Lollipop. The newest Android operating system is Nougat but around 74% of devices still run the older versions, according to security researchers at Check Point that discovered Gooligan.
If Gooligan successfully roots a device, it then moves on to steal email accounts and authentication tokens that provide access to Google services like the Play Store. Compromised accounts are then used to post fake reviews on the Play Store to boost ratings for dodgy apps that are then used to perpetuate the malware. They are also used to download adware onto affected devices that generates revenue for the criminals behind Gooligan.
Most of the infections have occurred in Asia (57%) but the Gooligan malware has been found in countries around the world. Check Point also noticed that hundreds of the email addresses are associated with enterprise accounts worldwide.
Google has been made aware of the malware and has taken steps to protect users but those who have already been hit by Gooligan need to take matters into their own hands.
How To Check If You're Affected
Check Point has released a free online tool that lets you check if your Google account has been breached.
If you have been affected, Check Point recommends that you follow the following steps:
- clean installation of an operating system on your mobile device is required (a process called 'flashing'). As this is a complex process, we recommend powering off your device and approaching a certified technician, or your mobile service provider, to request that your device be 're-flashed.'
- Change your Google account passwords immediately after this process.
You can find more details, including a list of apps that have been found to contain Gooligan, on the Check Point blog.