A new Android malware named “Goldoson” has infiltrated Google Play via 60 legitimate apps totaling 100 million downloads.

The malicious malicious component is part of a third-party library used by the sixty apps that developers have unknowingly added to their apps.

Some of the applications affected are:

  • L.POINT with L.PAY – 10 million downloads
  • Swipe Brick Breaker – 10 million downloads
  • Money Manager Expense & Budget – 10 million downloads
  • GOM Player – 5 million downloads
  • Live score, real-time score – 5 million downloads
  • Pikicast – 5 million downloads
  • Compass 9: Smart Compass – 1 million downloads
  • GOM Audio – music lyrics, synchronization – 1 million downloads
  • LOTTE WORLD Magicpass – 1 million downloads
  • Bounce Brick Breaker – 1 million downloads
  • Infinite Slice – 1 million downloads
  • SomNote – Beautiful notes app – 1 million downloads
  • Korea Subway Info: Metroid – 1 million downloads

According The McAfee Research Teamwho discovered Goldoson, the malware can collect data about installed apps, devices connected to Wi-Fi and Bluetooth, as well as the user’s GPS locations.

Moreover, it can perform ad fraud by clicking on advertisements in the background without user consent.

Steal data from Android devices

When the user launches an application containing Goldoson, the library registers the device and receives its configuration from a remote server whose domain is masked.

The configuration contains settings that define what data-stealing and ad-clicking functions Goldoson should perform on the infected device and how often.

Goldoson Setup
Goldoson Setup (McAfee)

The data collection feature is typically set to activate every other day, sending the C2 server a list of installed apps, geo-location history, MAC address of devices connected via Bluetooth and WiFi, and more Again.

JSON request that exfiltrates data
JSON request that exfiltrates data (McAfee)

The level of data collection depends on the permissions granted to the infected app when it was installed and the version of Android. Android 11 and above are better protected against arbitrary data collection; However, McAfee found that even in recent versions of the operating system, Goldoson had enough permissions to collect sensitive data in 10% of applications.

The click-through function is accomplished by loading HTML code and injecting it into a custom, hidden WebView, then using it to make multiple URL visits, generating ad revenue.

The victim sees no indication of this activity on their device.

Goldoson click-through activity
Goldoson click-through activity (McAfee)

Library removed, but the risk is still there

McAfee is a member of the Google App Defense Alliance which helps protect Google Play from malware/adware threats. Thus, the researchers informed Google of their conclusions and the developers of the applications concerned were alerted accordingly.

Many affected apps were cleaned up by their developers, who removed the offending library, and those that didn’t respond in time had their apps removed from Google Play for not complying with store policies.

Google confirmed the action to BleepingComputer, saying the apps violate Google Play policies.

“User and developer safety is at the heart of Google Play. When we find apps that violate our policies, we take appropriate action,” Google told BleepingComputer.

“We have notified developers that their apps violate Google Play policies and that fixes are needed to bring them into compliance.”

Users who have installed an affected app from Google Play can remedy the risk by applying the latest available update.

However, Goldoson also exists on third-party Android app stores, and the chances of those still hosting the malicious library are high.

Common signs of adware and malware infection include the device heating up, rapid battery drain, and abnormally high internet data usage, even when the device is not in use.

Source link