Malware writers haven’t stopped trying to game app rankings through bogus app installs. Researchers at Check Point have identified a new strain of the longstanding Ghost Push malware, Googlian, that has infected over 1 million Android devices to date and continues to grow (about 13,000 new infections per day). As with earlier code, attackers trick you into installing a Googlian-based app through either a third-party app store or a phishing scam. Once it’s on your phone, the software takes advantage of Linux kernel exploits to access your Google authorization token and install fraudulent apps, whether to boost their Google Play rankings or to generate money through ads.
You’re probably safe. Google fixed the vulnerability in Android 6.0 Marshmallow and beyond, and you’re unlikely to run into one of the malicious apps if you stick to downloading from Google Play. Also, Google observes that the apps aren’t harvesting data or committing fraud beyond the Google Play ratings. If you’re concerned, you can use a web tool from Check Point to verify whether or not Googlian has abused your account.
The concern, as is frequently the case with Android malware, is that many people will remain at risk. As of this story, Google reports that only 24.3 percent of users it tracks are running sufficiently up to date versions of Android. Also, Google Play isn’t always an option — the Chinese can’t use Google Play, for instance, while others may have devices where the store app isn’t installed. It may take a long while before enough people are up to date (most likely through new hardware) that malware like Googlian is no longer effective.