More Than 1M Google Accounts Breached by Gooligan

Malware on your Android device picked up from third party app stores (FDroid? Amazon?) that steals email accounts and auth tokens. Looks like it only works on the older Android 4 Jellybean software (and some Android 5 Lollipop) and below, so mostly concentrated in Asia where there are lower-end phones.<p>You can see if your account has been affected here:<p><a href="https:&#x2F;&#x2F;gooligan.checkpoint.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;gooligan.checkpoint.com&#x2F;</a>

Just to be clear, they didn&#x27;t obtain any passwords, but auth tokens. This would potentially allow them to log into accounts, but only as long as the tokens are valid.<p>Also, they don&#x27;t reveal which &quot;third party app stores&quot; served infected apps, but they do provide a list of infected apps, and searching for these yields some real shady download sites: <a href="http:&#x2F;&#x2F;imgur.com&#x2F;a&#x2F;0luW3" rel="nofollow">http:&#x2F;&#x2F;imgur.com&#x2F;a&#x2F;0luW3</a>

I used to work in an ad-tech company focused on mobile cpi offers that for several months paid the salaries of everyone involved by injecting malware in cracked apps on several third party app stores (they were making a profit out of it enough to dedicate a team only for this).<p>They even managed to automate all the process of &quot;selling&quot; cracked apps on third party stores. It is amazing how easy it is to trick broke 13yr old kids into installing stuff on their phones.<p>I left shortly after i found out about this.

We were just reading &quot;Android security in 2016 is a mess&quot;[1] 2 days ago and now we have another great example for it.<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=13056288" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=13056288</a>

Checking your email address in such sites looks like a great way to collect email addresses

Does anyone else use a special account for their Android phone that they don&#x27;t use for anything else?

Cached: <a href="http:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:http:&#x2F;&#x2F;blog.checkpoint.com&#x2F;2016&#x2F;11&#x2F;30&#x2F;1-million-google-accounts-breached-gooligan&#x2F;" rel="nofollow">http:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:http:&#x2F;&#x2F;...</a>

So wait this is phishing, not actually hacking into Google to breach accounts if I understood it correctly?<p>In that case, I suppose the title might be technically correct (those accounts are indeed breached), but it makes it sound like Google is to blame.

&gt; While Google implemented multiple mechanisms, like two-factor-authentication, to prevent hackers from compromising Google accounts, a stolen authorization token bypasses this mechanism and allows hackers the desired access as the user is perceived as already logged in.<p>What&#x27;s the right fix here? Should auth tokens be ip-address-tied? How much will that break? Or would that not even fix it?

And still people complain that Apple refuses to allow third-party app stores.

The difference between iOS and android could not be more clear in this regard. It&#x27;s interesting to see the difference in security between the two. It&#x27;s night and day. Google has some serious problems to address. But it seems like they don&#x27;t care. Their track record is deplorable regarding android security. Is this really the best google can do?

Is there a way to know if my email is on list of breached?