Hackers have in a matter of months compromised more than 1 million Google accounts as part of a lucrative fraudulent advertising scheme involving malicious app downloads, according to a new report by Check Point Software Technologies (CHKP), an Israeli cybersecurity firm.
People’s devices became infected after they installed innocent-looking, albeit booby-trapped software from app stores outside Google’s (GOOG) authorized Play store. The malware took complete control of their devices at the root, or deepest level, stealing tokens that Google cloud services—such as Gmail, Google Photos, and Google Docs—use to authenticate users.
Since August, the fraudsters made off with 1.3 million tokens with an average of 13,000 new phone infections per day, Check Point researchers found. The attackers reportedly used their foothold in the devices to install additional apps and ad software as well as to post fake reviews and ratings—all to generate hundreds of thousands of dollars in bogus ad revenue per month.
Get Data Sheet, Fortune’s technology newsletter.
“They were able to get to the lowest level of the Android operating system where there are no limitations on what the malware can do, and then they went after these account files,” said Michael Shaulov, head of mobile products at Check Point, referencing the million-plus stolen Google account credentials. “It’s probably the biggest ever security breach of Google accounts.”
Shaulov’s team discovered the extent of the security breach after a strange piece of malware tripped an alert in Check Point’s mobile security product a month ago, he said. The team then began working working with Google to investigate the incident.
Despite having pilfered a vast cache of Google account credentials, the hackers did not appear to access data on Google services other than the Play store, Google said.
Read more: “Millions of Android Devices Were Infected by a Chinese Advertising Firm”
“We used automated tools to look for signs of other fraudulent activity within the affected Google accounts,” wrote Adrian Ludwig, director of Android security at Google, in a Google Plus blog post addressing the compromise. “None were found.”
The attackers, in other words, could have used the credentials to pore over people’s email messages, or to hold people’s photo libraries for ransom. Instead, they appear to have stuck to ad fraud.
For more on advertising, watch:
The malicious software, dubbed “Gooligan,” belongs to a family of malware called “Ghost Push,” which Google has been tracking for two years, Ludwig said. Google discovered more than 40,000 apps related to the scam last year, the company noted in a recent security report.
Check Point researchers have found 86 apps infected with the malware bearing innocuous names like “Wifi Master,” “Light Browser,” and “Flashlight Free.” About three-quarters of all Android devices on the market today are vulnerable, specifically those running operating system versions 4 through 5, dubbed Jelly Bean (4.1 to 4.3.1), KitKat (4.4 to 4.4.4), Lollipop (5.0 to 5.1.1), Check Point said.
Check Point recommended in a blog post that people who suspect their devices may have been compromised (seen unusual pop-up ads on your phone lately?) should check to see whether their account has been breached by entering their email addresses at the following website: https://gooligan.checkpoint.com/.
Check Point further recommended that victims reinstall the operating system on their phones, hiring a technician to “flash” the device’s memory, since a standard factory reboot is not enough to remediate the issue. Immediately following that, customers should change their Google passwords, the company said.
Google, for its part, recommended that customers download the latest Android software updates and stay away from unauthorized app stores to prevent future compromises. The company said it is working to take down the attackers’ infrastructure, to eliminate malicious apps from its stores, and to resecure customers’ compromised accounts.
Asked who was behind the campaign, Check Point’s Shaulov said he hoped to be able to share an attribution in a week’s time. “Right now we understand who we believe is involved, but we want to nail down who exactly is behind this,” he said.
