More than 1 million Android phone users around the world have had their devices hacked in a global security breach that is still spreading.
The hack, dubbed Gooligan, is reportedly the largest Google account breach to date and gives attackers access to users’ email, photos and documents.
Check Point, the world’s largest cyber security vendor, said about 13,000 devices are being breached each day when users download and install an infected app on a vulnerable Android device.
The malware steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive and more.
Nigel Phair, a former detective superintendent with the Australian Federal Police, said people can be hacked through fake apps on Android.
“They have an openly curated app store which means anyone can make and upload and anyone can create fake apps and here people have done that and created what looks like a normal app but in fact it is heavily infected with malicious software,” he said.
Google’s ‘taken many actions to protect our users’
Adrian Ludwig, who works in Android security for Google, explained in a blog post that the motive behind the hack was to promote apps and not steal information.
The harmful apps are mostly downloaded outside of Google Play, and those apps then try to download other apps, he said.
Third-party app stores are often attractive because many of their apps are free or offer free versions of paid apps, Check Point said.
Google has tightened security due to this malware campaign and if a user tries to install an offending app from outside Google Play, they will be notified and installations would cease.
Users can check if their account has been compromised through this Gooligan Checker.
“We take these investigations very seriously… we’ve taken many actions to protect our users and improve the security of the Android ecosystem overall,” Mr Ludwig said.
Apps associated with the hacking campaign have also been removed and affected users have had their authentication tokens revoked and have been given instructions on how to log back in securely.
Android users are urged to download apps from Google Play, rather than from unknown sources.