Security firm Check Point says a Trojan horse campaign called Gooligan is striking 13,000 new Google accounts every day.
Over a million Google accounts have been infected by a malware attack called Gooligan.
Photo by CNET
More than a million Google accounts have been hit by malicious software, a security firm said on Wednesday.
Check Point said in a blog post that the attack campaign, known as Gooligan, is expanding to an additional 13,000 devices a day. It’s malware that infects devices and steals their authentication tokens to breach data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive and other programs.
The malware attack is said to be the biggest single theft of Google accounts on record, according to Forbes. But the reason for the attack may not be what you’d expect. It’s not to grab personal information from the accounts of Google users. Instead, it’s to force them to download apps that are part of an advertising fraud scheme that makes up to $320,000 a month, Michael Shaulov, head of mobile and cloud security at Check Point, told Forbes.
Google responded to a request for comment with a link to its blog post about the attack. In the post, Google said it has found no evidence that Gooligan has accessed user data or that specific groups of people have been targeted. “The motivation…is to promote apps, not steal information,” Google said.
Gooligan belongs to a family of malware called Ghost Push. It features a Trojan horse type of attack, in which the malicious software poses as legitimate apps for Android smartphones and tablets. Names of the malicious apps include StopWatch, Perfect Cleaner and WiFi Enhancer, according to The Wall Street Journal. Once installed, these apps automatically install other apps, some of which can steal usernames and passwords to post fake reviews.
Those downloads and reviews apparently feed into the hackers’ ad fraud scheme. The hackers have run ads in those forcibly downloaded apps, so every click or download helps the hackers make money, Forbes reported.
Check Point said Gooligan is a variant of an Android malware campaign found by researchers in the SnapPea app last year.
The Gooligan apps come from third-party app stores or websites, instead of the Google Play store, where the company has more authorization over apps. But Check Point said some apps that Gooligan downloads without permission can be found on the Play store.
Google said it has removed those apps from the Play store.