A new form of Android malware that roots devices and steals email accounts and authentication tokens has been found and is believed to have hijacked more than a million Google accounts.

Discovered by security firm Check Point Software Technologies Ltd. and named “Gooligan,” the malware targets older Android devices running on variants of Android called Jelly Bean (4.1, 4.2, 4.3), KitKat (4.4) or Lollipop (5.0, 5.1).

The malicious code, which is installed on a device via infected apps downloaded from third party Android app stores and disturbingly in some cases Google Play, seeks root permissions once installed in order to gain access to various stored accounts, with Google accounts being at the top of the list, giving those behind the malware access to sensitive data from Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite.

In addition to stealing user credentials, the malware also installs and rates fraudulent apps from the Google Play Store.

By the numbers, the infection rates are quite staggering, with 13,000 devices being infected each day. The malware installs 30,000 apps each day, or 2 million apps since the campaign began, and the list of hijacked email address includes hundreds associated with enterprise accounts.

“This theft of over a million Google account details is very alarming and represents the next stage of cyber-attacks,” Check Point’s head of mobile products Michael Shaulov said in a blog post.  “We are seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them.”

Check Point reached out to Google first to inform them of their findings. Google is said to have contacted affected users and revoked their tokens, removed apps associated with the Ghost Push family (of which Gooligan is a member) from Google Play, and added new protections to its Verify Apps technology.

In a post to Google Plus, Director of Android Security Adrian Ludwig said Google officials have worked closely with Check Point in recent times to investigate Gooligan and to protect users against the threat it poses. He claimed there is no evidence data was accessed from compromised accounts or that individual users were targeted.

The best advice is that if a third party app requests root access to your phone, don’t approve the request.

Image credit: Pexels/Public Domain CC0