Malicious software designed to attack Android smartphones has breached the accounts of more than a million Google users, security researchers said Wednesday.

The report by Check Point Software Technologies said the malware dubbed Gooligan targets devices running Android 4.0 and 5.0, which represent nearly 74 percent of mobile devices using the Google-powered operating system.

The attacks can steal email addresses and authentication data stored on the devices to access sensitive data from Gmail, Google Photos, Google Docs and other services, Check Point said.

"This theft of over a million Google account details is very alarming and represents the next stage of cyber-attacks," said Michael Shaulov, Check Point's head of mobile products.

"We are seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them."

Check Point said researchers discovered Gooligan's code in an application last year and that a new variant appeared in August 2016, affecting some 13,000 devices per day. About 57 percent of those devices are located in Asia and about nine percent are in Europe.

"The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device, or by clicking on malicious links in phishing attack messages," the company said in a statement.

Attackers can gain control over the device and generate revenue by fraudulently installing apps from Google Play and rating them on behalf of the victim.

Check Point said it reported the details of the malware to Google, and that the tech giant indicated it would take steps to protect users.

Google did not immediately respond to an AFP query.