To check for and remove any changes that this compromise may have made :


While logged on as the individual go to: https://myaccount.google.com/permissions and remove the FAKE "Google Docs" app that should show a recent auth time from when the user auth'd the FAKE app. The FAKE app name might be something like "Google Docs" with an icon of Google Drive next to it.

Admins, you can do this from the console in the user's account > security.  Check for suspicious FAKE app names such as "Google Docs" and a token that shows access has been allowed for: Gmail and for: Contacts.  An example of the Auth token :  632715883535-h36sb9m6fot4vusucprsab95naef791n.apps.googleusercontent.com
(all on one line)