New Android Malware Spreads Through Sketchy Apps To Older Cellphones

A new strain of Android malware has infected at least 1.3 million cellphones, taking control of the devices and stealing the users' Google login tokens in an attempt to rack up fraudulent ad money, according to new research.

Google and the cyber security company Check Point worked together to track down the campaign, which was dubbed "Gooligan." The malware is part of a larger family referred to as "Ghost Push" and is still spreading at a rate of 13,000 new hacked devices per day, according to Check Point, which published an analysis of the malware on Wednesday.

Instead of stealing people's Google docs or their emails, the malware's goal was much more utilitarian: install adware to make money for the virus' creators.

The malware spreads through sketchy apps—Check Point identified 86 of them—mostly present on third party stores, but also on Google Play, according to a Google spokesperson. To take control of the device, a process known as "rooting," the malware took advantage of well-known security holes and exploits, targeting older versions of Android, particularly Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), according to Check Point.

In an ideal world where users run updated software, this would mean very few people would be vulnerable. But given that carriers and manufacturers are slow to push updates, most Android phones in the world run old versions of the operating system. For this reason, 74 percent of Android cellphones could potentially be infected, according to Check Point.

As usual, if you use Android and especially if you have an older Android cellphone whose software is not up to date, be very careful when downloading and installing apps from outside Google Play. Ideally, just don't do it.

Adrian Ludwig, the director of security at Android, who recently told Motherboard that Android is mostly as secure as iOS, said in an online post that Google has taken several steps to protect affected users. He said the company has alerted all those who got infected, disabled their access tokens to force them to log back in, removed malicious apps from the Google Play store, and in some cases even prevented users from installing the malicious apps.

Ludwig said that they didn't find any signs of fraudulent activity within the hacked Google accounts.

"The motivation behind Ghost Push is to promote apps, not steal information," he wrote in an online post.

If you are worried you might have been a victim of Gooligan, Check Point created a website where you can check if your account was compromised. If you go infected, you might have to reinstall the operating system on your phone, a process known as re-flashing.

On the bright side, "no passwords need to be reset," according to a Google spokesperson.

Once again, hackers didn't need fancy tricks or exploits to hack a large number of Android cellphones.

"With the age of the exploits, and the fact that the source code for those exploits has been publicly available for years, makes me assume the malware authors are either amateurs or don't find their targets important enough to use modern exploits on," Jon Sawyer, a researcher who specializes in Android security, told Motherboard in an email. "Most Android malware is boring, rarely do we see anything taking advantage of newer vulnerabilities, even rarer do we see zero days."

Get six of our favorite Motherboard stories every day by signing up for our newsletter.