A new Android malware known as “Goldoson” that has been found in 60 genuine apps with a combined total of 100 million downloads has entered Google Play.
According to BleepingComputer, the creators mistakenly incorporated a third-party library into each of the sixty apps that contained the malicious malware component.
McAfee’s research team discovered Android malware capable of collecting a wide range of private data, including information about the user’s installed apps, WiFi and Bluetooth-connected devices, and GPS coordinates.
The library registers the device and gets its configuration from an obscured remote server when a user launches a Goldoson-containing app.
Some of the apps that are affected are:
- L.POINT with L.PAY – 10 million downloads
- Swipe Brick Breaker – 10 million downloads
- Money Manager Expense & Budget – 10 million downloads
- GOM Player – 5 million downloads
- LIVE Score, Real-Time Score – 5 million downloads
- Pikicast – 5 million downloads
- Compass 9: Smart Compass – 1 million downloads
- GOM Audio – Music, Sync lyrics – 1 million downloads
- LOTTE WORLD Magicpass – 1 million downloads
- Bounce Brick Breaker – 1 million downloads
- Infinite Slice – 1 million downloads
- SomNote – Beautiful note app – 1 million downloads
- Korea Subway Info: Metroid – 1 million downloads
The configuration sets how frequently Goldoson should perform data-stealing and ad-clicking operations on the infected device.
According to the research, the data collection mechanism is frequently set to activate every two days and send a list of installed apps, a history of previous whereabouts, the MAC addresses of devices linked through Bluetooth and WiFi, and other data to the C2 server.
The permissions granted to the malicious software during installation, as well as the Android version, have an impact on the amount of data collected.
Despite the fact that handsets running Android 11 or later are better protected against arbitrary data collection, researchers observed that Goldoson had enough privileges to gather sensitive data in 10% of the apps even in newer versions of the OS, said the report.
“Users who installed an impacted app from Google Play can remediate the risk by applying the latest available update,” BleepingComputer said in its report.
Ad revenue is generated by loading HTML code, injecting it into a tailored, hidden WebView, and then utilising that to carry out many URL requests.
The victim’s device shows no evidence of this action.
In January, Google’s Threat Analysis team deactivated thousands of accounts linked to the “Dragonbridge” or “Spamouflage Dragon” gang, which disseminated bogus information in favor of China on many platforms.
The tech giant alleges that Dragonbridge buys brand-new Google Accounts from bulk account sellers and that, on occasion, they have even used accounts that had previously been used by actors with financial motives and were then used to post blogs and videos that propagate false information.
