New Android malware known as Gooligan is said to be stealing details from record numbers of Google accounts, raising questions about Android app security testing. Since August, it has infected around 1.3 million Android devices via stealing tokens for user authentication. The motive behind Gooligan is to steal authentication tokens to breach victim’s Google accounts.

What’s alarming is that Gooligan is spreading at a rate of 13,000 new attacks per day. According to Check Point’s security researchers, the malware works by infecting a device when the user visits a website such as an adult site, where theuser is encouraged to install some software in order to be able to access more content. Or it can also infect a device when a user downloads a third party app from a third party app store. Once inside a device, Gooligan determines the type of Android phone and performs a series of exploits to root the device and take control of it. These third party apps also have sub standard Android app security, opening devices to further attacks.

After taking control of your phone, Gooligan sends Google account data to a remote server, gaining access to your Google Drive, Gmail, Google Docs, Photos and other Google data – including programs that require two-factor authentication. Researchers at Check Point managed to trace the server and uncover around 1.3 million authentic Google accounts. They also determined that infected phones were downloading around 30,000 apps each day with questionable Android app security, taking the total to 2 million. This also includes many corporate Google Accounts as well.

To make this happen, hackers are using long-existing vulnerabilities like Towelroot and VROOT in Android 4 and 5 devices, that include Jelly Bean, KitKat and Lollipop. As much as 40 percent of these affected devices are in Asia, 19 percent in the Americas with a majority in North America, and 12 percent in Europe.

Codified Security is here to help make your mobile app secure whether it’s for iOS, Android app security testing, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.