According to a recent report by McAfee’s research team, a new Android malware named ‘Goldoson’ has infiltrated Google Play through 60 legitimate apps that have a total of 100 million downloads. The malicious malware component is part of a third-party library used by all sixty apps that developers unknowingly added to their apps.
Popular apps infected
The impacted apps include several popular ones such as L.POINT with L.PAY, Swipe Brick Breaker, Money Manager Expense & Budget, GOM Player, LIVE Score, Real-Time Score, Pikicast, Compass 9: Smart Compass, GOM Audio – Music, Sync lyrics, LOTTE WORLD Magicpass, Bounce Brick Breaker, Infinite Slice, SomNote – Beautiful note app, and Korea Subway Info: Metroid.
Goldoson is a malware that can collect data on installed apps, WiFi and Bluetooth-connected devices, and the user’s GPS locations. Furthermore, it can perform ad fraud by clicking ads in the background without the user’s consent.
The library registers the device and receives its configuration from a remote server whose domain is obfuscated when the user launches an app that contains Goldoson. The configuration contains parameters that set which data-stealing and ad-clicking functions Goldoson should run on the infected device and how often.
The data collection function is typically set to activate every two days, sending to the C2 server a list of installed apps, geographical location history, MAC address of devices connected over Bluetooth and WiFi, and more. The level of data collection depends on the permissions granted to the infected app during its installation and the Android version.
The ad-clicking function takes place by loading HTML code and injecting it into a customized, hidden WebView, and then using that to perform multiple URL visits, generating ad revenue. The victim does not see any indication of this activity on their device.
McAfee’s discovery and fast action from Google
McAfee’s researchers discovered the malware and informed Google about their findings. They also alerted the developers of the impacted apps. Most of the affected apps were cleaned by their developers, who removed the offending library, and those that didn’t respond in time had their apps removed from Google Play for non-compliance with the store’s policies.
Google confirmed that the apps violated Google Play policies and that they had notified the developers that their apps were in violation of the policies, and fixes were needed to come into compliance.
Google Play users who installed an impacted app can remediate the risk by applying the latest available update. However, Goldoson exists on third-party Android app stores too, and the chances of those still harboring the malicious library are high.
The signs of adware and malware infection include device heating up, battery draining quickly, and unusually high internet data usage even when the device is not in use.
Source: Bill Toulas, Bleeping Computer