Security firm Check Point reported that more than 1 million Google accounts, including authentication tokens, have been compromised by the Android malware known as Gooligan. Hackers use Gooligan to gain access to victim’s Gmail, Google Photos, Docs, Drive, Play, and GSuite. The hackers can generate revenue by installing apps via Google Play on the hacked phone and rating apps on behalf of the user. Hackers can also profit by installing adware.

Gooligan first gained publicity in 2014, however, the recent campaign that began in August is infesting 13,000 devices daily. Gooligan is targeting Android 4 and 5 devices. Check Point estimates that nearly 74% of Android users utilize Android 4 or 5 devices. Gooligan was found in many legitimate-looking third party app stores but users also downloaded the app directly from malicious links found in phishing messages.

Check Point’s Head of Mobile Products Michael Shaulov said, “This theft of over a million Google account details is very alarming and represents the next stage of cyberattacks. We’re seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them.”