"'GhostToken' Opens Google Accounts to Permanent Infection"

A security flaw in Google's Cloud Platform (GCP) could have allowed cybercriminals to hide an unremovable, malicious app within a victim's Google account, rendering the account permanently infected. The "GhostToken" vulnerability was identified and reported by Astrix Security researchers. According to an analysis, the malicious app could have enabled a wide range of malicious actions, such as reading the victim's Gmail account, accessing files in Google Drive and Google Photos, viewing the Google calendar, and monitoring the victim's location using Google Maps. Armed with this information, attackers could create highly convincing impersonation and phishing attacks. The GCP is designed to host any of thousands of end-user apps, which, like other app ecosystems, have an official store from which they can be readily downloaded. In this case, it is the Google Marketplace and third-party markets. Once the user authorizes a download, the app receives a token that grants access to the installer's Google account based on the permissions requested by the app. Using the GhostToken vulnerability, cybercriminals are able to create malicious apps that they can plant in app stores under the guise of a legitimate utility or service. However, once downloaded, the app will hide from the victim's Google account app management page. This article continues to discuss findings regarding the potential exploitation and impact of the GhostToken vulnerability. 

Dark Reading reports "'GhostToken' Opens Google Accounts to Permanent Infection"