Security firm Check Point has revealed a new malware campaign involving using malicious apps to root Android devices, steal Google authentication tokens and illegitimately rack up installation numbers and review scores for other apps.
The malware, dubbed "Gooligan" by Check Point, uses known vulnerabilities to get obtain root access — complete control — over devices running Android 4.x and 5.x, before using this to steal Google account names and authentication tokens. This then allowed the perpetrators to remotely install other apps from Google Play on victims' devices, and post false reviews in their name.
In theory, malware like this, which is designed to steal authentication details, may have been able to access other areas of Google accounts, like Gmail or Photos. There's no evidence that "Gooligan" did anything like this — instead, it appears it was built to make money for its creators through illegitimate app installs.
What is striking about this strain of malware is the number of accounts affected — more than one million since the campaign began, according to Check Point. The majority — 57 percent — of these accounts were compromised in Asia, according to the firm. Next were the Americas with 19 percent, Africa with 15 percent and Europe with 9 percent. Check Point has set up a site where you can check if your account is affected; Google also says it's reaching out to anyone who may have been hit.
Ahead of today's public announcement, Google and Check Point have been working together to improve Android's security.
We're appreciative of both Check Point's research and their partnership as we've worked together to understand these issues," said Adrian Ludwig, Google's director of Android security. "As part of our ongoing efforts to protect users from the Ghost Push family of malware, we've taken numerous steps to protect our users and improve the security of the Android ecosystem overall."
Check Point also notes that Google's "Verify Apps" technology has been updated to deal with apps using vulnerabilities like this. That's significant because, while it doesn't help devices that are already compromised, it roadblocks future installations on 92 percent of active Android devices, even without the need for firmware updates.
Like other app-based exploits, Google's 'Verify Apps' feature now protects 92 percent of active devices from 'Gooligan.'
"Verify Apps" is built into Google Play Services, and enabled by default in Android 4.2 Jelly Bean — accounting for 92.4 percent of active devices, based on the current numbers. (On older versions, it can be manually enabled.) Like the rest of Play Services, it's regularly updated in the background, and it blocks the installation of malicious apps, and can advise users to uninstall malware that's already there.
On newer versions of Android, the underlying exploits used by "Gooligan" to root devices will have been addressed through security patches. So as significant as a million compromised accounts sounds, this is also an example of Google's security strategy for app-based malware working as designed, blocking installations of affected apps across the vast majority of the ecosystem.
If you're concerned that your account may have been affected, you can hit up Check Point's site. In future, Google's existing safeguards — a part of Play Services for the past four years — will ensure you're protected.
Update: Google's lead engineer for Android security, Adrian Ludwig, has an extensive write-up on the background of today's "Googlian" announcement, and what Google's doing about it, over on Google+.
We may earn a commission for purchases using our links. Learn more.

Every game announced at the Oculus Gaming Showcase 2021
The first-ever Oculus Gaming Showcase is all about the next big games coming to the Oculus Quest and Oculus Rift platforms in 2021 and beyond.

Chromebook update finally brings document scanning, Live Caption, and more
Google is updating Chromebooks with useful new features that bring more immediate search results from the Launcher, a new document scanner, a diagnostics app, and Live Caption.

The OnePlus Watch is getting its first update with welcome improvements
The OnePlus Watch is set to receive its first update soon to improve the software experience, something that the watch has been criticized for since launch.

Block ads, trackers and even some malware with the best Chrome ad blockers
Pop-ups, banners and video ads are at the very least annoying, but many also harbor malware. Here are some ad blockers to help cut through the noise.