A new variant of Android malware is responsible for what’s believed to be the biggest single theft of Google accounts on record.

The so-called Gooligan strain has infected as many as 1.3 million Android phones since August, completely prizing the devices open and stealing the tokens users are given to verify they are authorized to access accounts. Its main aim, though, is not to pilfer all that juicy data in Gmail or Docs, but to force users into downloading apps as part of a huge advertising fraud scheme, making as much as $320,000 a month.

And Gooligan is spreading at an alarming rate: since the start of this month, it’s been racking up an average of 13,000 new infections every day, according to researchers from Check Point. The malicious software first gains a foothold on devices when users visit a website and download a third-party app. Michael Shaulov, head of mobile and cloud Security Check Point, said that might be a porn site, or a third-party app store, where visitors are encouraged to download software to get access to content.

But once downloaded, Gooligan determines which Android phone it’s infected and launches the appropriate exploits to “root” the device – i.e. take complete control over it. To do that, the attackers have used long-known vulnerabilities, such as VROOT and Towelroot, on devices running Android 4 through 5, including Jelly Bean, KitKat and Lollipop. Together, those operating systems account for 74 per cent of Android devices in use today, totalling around 1.03 billion. Most infections (40 per cent) are in Asia, though 19 per cent are in the Americas, most of which are in North America, Shaulov said. Another 12 per cent are based in Europe.
Once Gooligan has control of the phone, the victim’s Google account token is siphoned off to a remote server and could be used to gain access to their Gmail, Docs, Drive, Photos and other data, even where two-factor authentication is turned on. Check Point’s researchers were able to trace that server, uncovering a stash of 1.3 million real Google accounts. Looking at server logs, they were also able to determine as many as 30,000 apps were being downloaded every day by infected phones, reaching a total of 2 million so far. Hundreds of businesses’ Google accounts have been hit too, Check Point warned.

Previous multi-million leaks of Google accounts have proven false, most notably in 2014 when just two per cent of 5 million allegedly real logins leaked on the dark web turned out to work on active accounts, and in 2016 when only 460,000 of 23 million published online were deemed legitimate.