More than one million Google accounts have been compromised in the recent and biggest attack of Android "Gooligan" hackers.

According to a new report by an Israeli cybersecurity team, Check Point Software Technologies, the hackers have infected the accounts in a matter of months with its fraudulent advertising scheme. Gooligan has been spreading at a very fast rate, with 13,000 new infections daily.

The new variant of malware infected the devices after users downloaded a seemingly innocent app outside of Google's authorized Play Store. Users who visited a website and downloaded a third-party app are the most susceptible to the attacks, especially if they were encouraged to download the software in order to access the content of the website.

The malware then took control of the devices, stealing tokens that Google cloud services use to authenticate users. The token would be linked to a remote server and be used to gain access to Gmail, Docs, Drive, Photos and other data.

Once the attackers have penetrated the device, they installed additional apps and ad software. They would even post fake reviews, giving positive ratings to apps on Google Play.

Tokens are used by users to verify that they have authorized access to their accounts. But with those tokens stolen, hackers have breached an average of 1.3 million Android phones since August.

According to Michael Shaulov, head of mobile products at Check Point, Gooligans "root" to the device by using vulnerabilities such as VROOT and Towelroot on devices running Android 4 through 5. This includes Jelly Bean, KitKat and Lollipop. Android versions 6.0 onwards are not by the Gooligan exploits.

These operating systems combines account for 74% of Android devices in use today. Shaulov also added that 40% of the infections were in Asia.

Without the users being aware of it, they were faced to download apps as part of huge advertising fraud scheme, generating as much as $320,000 a month. Every download and click on the advertisements add to the revenue stream of the hackers.

In a blog post, Adrian Ludwig, Google's Android security chief, said that the company had not seen any evidence of other fraudulent activities aside from the promotion of apps.

"The motivation behind Ghost Push is to promote apps, not steal information, and that held true for this variant," said Ludwig. He added that affected users have been notified and had their account login tokens reset.