Goldoson Android Malware Found in 60 Apps with 100M Downloads

The malware was identified by cybersecurity researchers at McAfee.

Goldson malware can collect data from apps installed on the device, as well as from Bluetooth- and Wi-Fi-connected devices.

McAfee’s Mobile Research Team researchers discovered at least 60 malicious apps on Google Play Store infected with Android malware Goldoson. Collectively, these apps account for around 100 million installs on the Play Store and 8 million installs on the South Korean ONE Store. South Korean users are most vulnerable to downloading these apps.

Goldoson Infiltrates Legit Apps on Play Store

Researchers found that Goldoson Android malware has infiltrated the official Google Play Store via 60 legitimate apps. The malware component is based on a third-party library that all sixty apps use. Researchers assume that the developers mistakenly added it to the apps.

Which Apps Are Infected with Goldoson?

Some of the infected apps include the following:

  • Pikicast
  • GOM Player
  • LIVE Score
  • Infinite Slice
  • Real-Time Score
  • L.POINT with L.PAY
  • Swipe Brick Breaker
  • Bounce
  • Brick Breaker
  • Magicpass
  • Compass 9: Smart Compass
  • Korea Subway Info: Metroid
  • SomNote – Beautiful note app
  • GOM Audio – Music, Sync lyrics
  • Money Manager Expense & Budget

How Does The Device Gets Infected?

The Goldoson Android malware is designed to perform malicious actions on devices that download one of the 60 infected apps. Once the app is downloaded and launched, the malware library registers the app and receives its configuration from a remote server with an obfuscated domain.

This configuration sets the functions that the malware will run on the device, including ad-clicking and data-gathering features. The data collection function is activated every two days, and the collected data, along with the MAC address of connected Bluetooth and Wi-Fi devices, is transferred to a C2 server.

The ad-clicking feature is launched by loading and injecting HTML code into a hidden, customized WebView. This feature generates revenue through multiple URL visits. Overall, the Goldoson malware has been found in 60 different apps and has impacted a large number of downloads.

What is Goldoson Malware Capable of?

Goldson malware can collect data from apps installed on the device, as well as from Bluetooth- and Wi-Fi-connected devices. In addition, it can track users’ location and carry out ad fraud by clicking on ads in the background without alerting the user. Data collection relies on permissions given to an infected app when being installed. 

In a blog post, McAfee researchers stated that although Android 11 and above versions are generally considered safe against data theft due to their superior security protections, in 10% of the infected apps, Goldoson could collect sensitive data from devices running these versions.

McAfee responsibly alerted Google and the app developers, who promptly removed the malicious library from the apps. Apps in which they couldn’t remove the library were taken off the Play Store.

It is worth noting that malicious versions of these apps will still be available on third-party Android app stores even though on Play Store these apps will become safe with an update. Therefore, uninstall the app, and reinstall it from Play Store to be safe.

  1. Russian Android Spyware Tracks GPS Location
  2. Play Store Apps Drop Android Malware to Millions
  3. BRATA malware steals funds, factory resets phones
Related Posts