Over 1m Android devices have been infected by a new malware campaign that has been distributed via third-party app stores, according to a report from security firm Check Point.
The malware first emerged in August, and is currently compromising devices at a rate of around 13,000 a day, largely in Asia, where third-party app stores are more prevalent.
The malware, dubbed 'Googlian' by Check Point, roots Android devices and steals email addresses and authentication tokens stored on them, enabling the attackers to access sensitive data and user accounts including Gmail, Google Photos, Google Docs and more.
"This theft of over a million Google account details is very alarming and represents the next stage of cyber-attacks," said Michael Shaulov, head of mobile products at Check Point. "We are seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them."
Devices running on Android versions 4 (Jelly Bean and KitKat) and 5 (Lollipop) are vulnerable to the malware. This represents nearly 74 per cent of Android devices in use today. Check Point has reached out to Google's security team with information on the campaign, with the hope of fixing the vulnerabilities it exploits.
"We appreciate Check Point's partnership as we've worked together to understand and take action on these issues," said Adrian Ludwig, director of Android security at Google. "As part of our ongoing efforts to protect users from the Ghost Push family of malware, we've taken numerous steps to protect our users and improve the security of the Android ecosystem overall."
Among other tactics, the malware's controllers use infected devices to fraudulently install apps and rate them on behalf of the victim, generating revenue from app publishers who pay for massive boosts in Play Store rankings. Gooligan reportedly installs at least 30,000 apps a day across infected devices, totalling at least 2m apps since the campaign began.
Check Point has created a tool enabling Google users to check if their account has been compromised by the malware, as well as putting together a full list of apps infected by the malware, which range from games to utility apps and beyond.
Malware campaigns are typically stopped using software fixes, but in this particular case, Google has already created patches for the vulnerabilities being exploited, which date back to 2013. Unfortunately, Android's fragmented ecosystem means there are still plenty of devices out there that have yet to receive the patch, and the majority are still at risk of infection.