A new malware campaign has been discovered in over 1 million Android devices, according to a new report from the security firm Check Point. Dubbed “Googlian” by the firm, the campaign first emerged in August, and is currently compromising devices at a rate of roughly 13,000 per day.
The malware targets vulnerabilities in Android versions 4 and 5 (Jelly Bean, Kit Kat, and Marshmallow), and spreads through seemingly legitimate apps in third-party app stores. More than half the infections are in Asia, where third-party app stores are particularly popular.
A full list of infected apps is included at the bottom of Check Point’s report, which ranges from simple games like “Slots Mania” to a more suspicious app called “Sex Photo.”
The malware takes advantage of two known vulnerabilities in the Linux kernel, allowing it to take control of a user’s device once a malicious app has been installed. From there, the malware compromises the device’s Google authorization token, giving it broader access to the user’s Google account including Gmail, Drive, and Photos.
According to Google, the malware isn’t accessing any personal emails or files. When the Android Security team scanned the affected accounts, it found no evidence of the malware accessing data or otherwise using the token for fraud. There was also no evidence of the malware targeting any particular people or organizations.
Instead, the malware authors seem to be using their powers to game the Google Play app rankings. Instead of downloading inboxes or Drive accounts, the malware installs non-malicious apps from the Google Play Store, leaving five-star rankings for each app. With over a million devices in on the scheme, the result is a huge boost in the Play Store rankings for the targeted app, potentially worth far more than a stolen credit card.
It’s not the first time online criminals have used malware to boost an app’s ranking. Last year, a family of apps called Brain Test tried a similar tactic, only to be removed by Google after the scheme was made public. Google actively scans for potentially harmful apps in the Play Store, but since the apps being boosted aren’t malicious, they’re able to evade the scans.
You can check if your device has been infected by using a tool built by Check Point. If there’s evidence of an infection, reinstalling the system software will completely remove it.
Typically, malware campaigns can be stopped by a quickly deployed software fix — but in Googlian’s case, that fix has already been sent out. The two exploited vulnerabilities date back to 2014 and 2013, respectively, and both have already been patched by Google. Any devices running a version of Android released in the past year are already protected. Unfortunately, because of Android’s fragmented ecosystem, that only covers a quarter of Android devices overall, leaving the vast majority of devices vulnerable to the attack.