Gmail is the world’s most popular email platform and I give the credit to Android which indirectly forces new and old users to either create or sign in with their Google account before they can use any of the Google services on an Android device.
We are talking about Google Play, YouTube, Google Assistant, Google Bard, Google Photo, Adsense, Google Map, and many other Google services including Gmail. Simply put it this way, you can’t enjoy an Andriod phone without Google services, period.
Of course, there are maneuvers to get the apps you want by simply Sideloading them. But even at that, it still comes with a cost. By following this route to get an app installed, you put your device at risk of installing malicious apps.
Since sideloaded apps bypass the security measures put in place by Google, your device is exposed to a higher probability of getting malware or other dangerous software, not to mention the time it would take to get the app installed.
But if you do it right with Google, on Google Play, you save yourself a lot of trouble, and be rest assured that all apps installed with a single click are checked by Google to ensure they are safe for use.
There are 4 billion email users worldwide as of 2020 and a higher portion of this figure goes to Gmail with over 1.8 billion active users as of the same year. This puts Gmail at the forefront of attacks.
An intelligence analysis by CloudSEK researcher Pavan Karthick M, published on December 29, 2023, shared an alarming concern on a vulnerability they found with Google accounts.
From their observations, attackers are exploiting an undocumented authentication endpoint, primarily used for cross-services synchronization, to compromise Google accounts.
The attackers gain unauthorized access to users’ accounts by manipulating session cookies, eliminating the need for credentials, and providing direct entry into Gmail inboxes.
The exploit was first noticed on October 20 via a Russian-language Telegram channel and by November 14, it had been incorporated into malware by the Lumia criminal group and subsequently adopted by other organizations.
As of December 27, dark web activities demonstrate ongoing usage of this exploit against Google account session cookies. But unlike typical session cookie hijacks, this exploit distinguishes itself by restoring expired session cookies, allowing prolonged unauthorized access.
Changing your Google password does not prevent the attack, as the exploit facilitates continuous access to Google services even after a password reset. However, Google is not oblivious to the situation.
A company spokesperson has acknowledged the reports of a malware family stealing session tokens and has assured users that Google has routinely enhanced its defenses against such threats.
Contrary to some claims, Google states that stolen tokens and cookies can be invalidated by signing out of the affected browser or remotely revoking access through the user’s devices page. Google also recommends enabling Enhanced Safe Browsing in Chrome to fortify defenses against phishing and malware downloads.
With Google’s response to the threat, CloudSEK provides a comprehensive strategy for users to safeguard their accounts. If users suspect their accounts may have been compromised, or as a precaution, CloudSEK advises signing out of all browser profiles to invalidate current session tokens.
Following these actions, users should reset their passwords and sign back in to generate new tokens. Resetting the password disrupts unauthorized access by rendering the old tokens ineffective, thereby creating a crucial barrier against the exploit’s continuation.
