Hackers Break Into One Million Google Accounts

Israeli cyber security firm Checkpoint identified the malware, 'Gooligan,' which gives access to accounts, messages, documents and pictures.

Illustration: A laptop computer sits on display in front of Google's logo.
Illustration: A laptop computer sits on display in front of Google's logo. Ore Huiying, Bloomberg

A new malware software active on Android devices hacked into approximately one million Google accounts, the Israeli cyber security company Checkpoint said on Wednesday. Google confirmed the discovery, adding that none of its users’ information has been leaked.

The program, Checkpoint said, attacks Android 4 and 5 devices, enables access to Google accounts and exposes messages, documents, pictures and any other stored information.

The malware program, named “Gooligan,” infects devices via tainted apps or malicious links.

“We found signs of Gooligan in dozens of apps that appear legitimate in third-party Android app stores. These app stores are an attractive alternative to Google Play because many of the apps are totally free, or else they offer free versions of apps that cost money,” according to the investigators, who said they first encountered the Gooligan code in a malicious app called SnapPea. 

A post on Checkpoint’s blog explained that Gooligan attacks Android 4 and 5 devices, making it a potential threat to 74 percent of the Android market. The malware exploits two known breaches in these versions of the Android operating system. These breaches still threaten many devices, Checkpoint said, because the security patches that correct them are not always available for some versions of Android, or the user never installed them.

The attackers took advantage of one of the widely acknowledged problems with Android security – the fragmentation between the various versions of the operating system and the manufacturers of mobile devices. The slow pace of updates, particularly when compared to Apple’s iOS system, sometimes results in updates not reaching users immediately, with the results evident in this case.

Checkpoint said that some 13,000 devices are being breached by Gooligan every day, with 57 percent of the breaches in Asia, 19 percent in North and South America, 15 percent in Africa and 9 percent in Europe.

The company said that its researchers first encountered Gooligan’s code in the malicious SnapPea app last year, which various security vendors attributed at the time to different malware families like Ghostpush. 

According to Checkpoint, after a device is compromised, usually by downloading an infected application, the app sends data about the device to the attacker’s command and control server. It also downloads a tool that allows it to take total control of the device (known as a rootkit). If the rooting succeeds, it will steal all the user’s email data, including his authentication information. With this information, the malware installs applications on the device from Google Play and rates them there to improve their ranking and reputation. It also installs adware to generate revenue.

Adrian Ludwig, the head of the Android security team at Google, confirmed Checkpoint’s discovery in a post and explained that since 2014 the company has been tracking the Ghost Push family of malware, which he described as “A vast collection of potentially harmful apps that generally fall into the category of ‘hostile downloaders.’ These apps are most often downloaded outside of Google Play and after they are installed, Ghost Push apps try to download other apps.” 

Checkpoint said people can find out if their device was affected here.