More than a million Google accounts have been hit by malicious software, a security firm said on Wednesday.
Check Point said in a blog post that the attack campaign, known as Gooligan, is expanding to an additional 13,000 devices a day. It's malware that infects devices and steals their authentication tokens to breach data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive and other programs.
The malware attack is said to be the biggest single theft of Google accounts on record, according to Forbes. But the reason for the attack may not be what you'd expect. It's not to grab personal information from the accounts of Google users. Instead, it's to force them to download apps that are part of an advertising fraud scheme that makes up to $320,000 a month, Michael Shaulov, head of mobile and cloud security at Check Point, told Forbes.
Google responded to a request for comment with a link to its blog post about the attack. In the post, Google said it has found no evidence that Gooligan has accessed user data or that specific groups of people have been targeted. "The motivation...is to promote apps, not steal information," Google said.
The episode comes at a time when cyber attacks have been a high profile problem, hitting everyone from internet giants to the Democratic National Committee. In September, Yahoo suffered what is believed to be the biggest cyber attack in history, in which hackers swiped information from more than half a billion accounts. And in July, the White House said it believed Russia was behind hacks of the DNC.
Gooligan belongs to a family of malware called Ghost Push. It features a Trojan horse type of attack, in which the malicious software poses as legitimate apps for Android smartphones and tablets. Names of the malicious apps include StopWatch, Perfect Cleaner and WiFi Enhancer, according to The Wall Street Journal. Once installed, these apps automatically install other apps, some of which can steal usernames and passwords to post fake reviews.
Those downloads and reviews apparently feed into the hackers' ad fraud scheme. The hackers have run ads in those forcibly downloaded apps, so every click or download helps the hackers make money, Forbes reported.
Check Point said Gooligan is a variant of an Android malware campaign found by researchers in the SnapPea app last year.
The Gooligan apps come from third-party app stores or websites, instead of the Google Play store, where the company has more authorization over apps. But Check Point said some apps that Gooligan downloads without permission can be found on the Play store.
Google said it has removed those apps from the Play store.
People who are worried that their Google accounts may be compromised can consult the Check Point website.
First published November 30 at 8:47 a.m. PT.
Update, 9:37 and 10:57 a.m. PT: Adds comment from Google and more information throughout.