Dubbed Gooligan, the malware roots vulnerable Android devices to steal email addresses and authentication tokens stored on them.
With this information in hands, the attackers are able to hijack your Google account and access your sensitive information from Google apps including Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite.
Researchers found traces of Gooligan code in dozens of legitimate-looking Android apps on 3rd-party app stores, which if downloaded and installed by an Android user, malware starts sending your device’s information and stolen data to its Command and Control (C&C) server.
"Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153)," researchers said in a blog post.
"If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely."According to CheckPoint security researchers, who uncovered the malware, anyone running an older version of the Android operating system, including Android 4.x (Jelly Bean, KitKat) and 5.x, (Lollipop) is most at risk, which represents nearly 74% of Android devices in use today.
"These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user," researchers added.Once hack into any Android device, Gooligan also generates revenues for the cyber criminals by fraudulently buying and installing apps from Google Play Store and rating them and writing reviews on behalf of the phone's owner. The malware also installs adware to generate revenue.
How to check if your Google account has been compromised with this malware?
Check Point has published an online tool to check if your Android device has been infected with the Gooligan malware. Just open ‘Gooligan Checker’ and enter your Google email address to find out if you've been hacked.
If you found yourself infected, Adrian Ludwig, Google's director of Android security, has recommended you to run a clean installation of the operating system on your Android device.
This process is called 'Flashing,' which is quite a complicated process. So, the company recommends you to power off your device and approach a certified technician or your mobile service provider in order to re-flash your device.