Asia is ground zero for malware infections dubbed "Gooligan" and aimed at Android operating systems, with the majority of the million Google accounts breached since August located there, researchers said.
The malware burrows in to mobile devices running on Android and steals information from Gmail, Google Photos, Google Docs, Google Play, Google Drive and G Suite, researchers from Check Point Software Technologies said.
Attackers can also generate revenue by installing apps from Google Play on infected phones.
The malware infects a device after a user downloads and installs a "Gooligan"-infected app on third-party app stores, or when users accidentally click on malicious links in phishing attacks. After the infected app is installed, it sends data about the device to the malware's main server and downloads a rootkit, which enables the attacker to gain control of the mobile device.
"This theft of over a million Google account details is very alarming and represents the next stage of cyber-attacks," Michael Shaulov, Check Point's head of mobile products. said.
"We are seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them."
Since 2014, the Android security team had been tracking a family of malware called "Ghost Push," of which the "Gooligan" malware is a variant, according to a Wednesday public post by Google's Director of Android security Andrian Ludwig.
"We used automated tools to look for signs of other fraudulent activity within the affected Google accounts. None were found. The motivation behind Ghost Push is to promote apps, not steal information, and that held true for this variant," Lugwig said.
Lugwig encourages Android users to conduct device integrity checks and update their devices, as the malware opportunistically installs apps on older devices.
About 57 percent of the affected devices are found in Asia, while 9 percent are in Europe. Another 15 percent of breached devices are in Africa and 19 percent are in the Americas.
"The malware is more dominant in the older version of Android, namely 4 and 5. Though we can't say for sure why, some sources say the older Android versions are still pretty prevalent in Asia," Steve McWhirter, vice president of Asia, Middle East and Africa at Check Point Software Technologies, told CNBC.
The malware targets mobile devices running on the earlier operating systems Android 4.1 Jelly Bean, Android 4.4 KitKat and the Android 5.0 Lollipop, all of which make up 74 percent of the devices in the market.
Android device users who suspect their account might have been hacked will need to go through a process called "flashing," which can be done by mobile service providers or a certified technician, Check Point Software Technologies said, adding that Google account passwords should be changed immediately after "flashing."