Check Point Software Technologies Ltd. (NASDAQ:CHKP) has announced its security researchers have revealed a new variant of Android malware, breaching the security of more than one million Google accounts. The new malware campaign, named Gooligan, roots Android devices and steals email addresses and authentication tokens stored on them. With this information, attackers can access users’ sensitive data from Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite.
Michael Shaulov
Michael Shaulov, Check Point’s head of mobile products, commented:
This theft of over a million Google account details is very alarming and represents the next stage of cyber-attacks. We are seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them.
Key Findings:
- Campaign infects 13,000 devices each day and is the first to root over a million devices.
- Hundreds of the email addresses are associated with enterprise accounts worldwide.
- Gooligan targets devices on Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which represent nearly 74% of Android devices in use today.
- After attackers gain control over the device, they generate revenue by fraudulently installing apps from Google Play and rating them on behalf of the victim.
- Every day Gooligan installs at least 30,000 apps on breached devices, or over 2 million apps since the campaign began.
Shaulov concluded that the business model was similar to another group dubbed HummingBad, discovered in February this year. The Chinese cybercriminals behind HummingBad made $320,000 a month with that one initiative, according to Shaulov. He believes the Gooligan crooks are earning much the same.