A new Android spyware, nicknamed “Goldoson,” has infiltrated Google Play via 60 legal apps, which have been downloaded over 100 million times. The dangerous malware component is a component of a third-party library that developers unintentionally included in their applications.
L.POINT with L.PAY, Swipe Brick Breaker, Money Manager Expense & Budget, and GOM Player are among the impacted applications, with millions of downloads. Compass 9: Smart Compass, GOM Audio – Music, Sync lyrics, LOTTE WORLD Magicpass, and Korea Subway are among the other afflicted applications with hundreds of millions of downloads.
According to McAfee’s research team, which discovered Goldoson, the malware can collect data on installed apps, Wi-Fi and Bluetooth-connected devices, and the user’s GPS location. It can also perform ad fraud by clicking on ads in the background without the user’s consent.
When a user launches an app containing Goldoson, the library registers the device and receives its configuration from a remote server whose domain is obfuscated. The configuration contains parameters that set which data-stealing and ad-clicking functions Goldoson should run on the infected device and how often.
The data collection function sends a list of installed apps, geographical location history, MAC address of devices connected over Bluetooth and Wi-Fi, and more to the C2 server. The level of data collection depends on the permissions granted to the infected app during its installation and the Android version. Even in recent versions of the OS, Goldoson had enough permissions to gather sensitive data in 10% of the apps.
The ad-clicking function takes place by loading HTML code and injecting it into a customized, hidden WebView, and then using that to perform multiple URL visits, generating ad revenue. The victim does not see any indication of this activity on their device.
Google confirmed the action, stating that the apps violated Google Play policies. “The safety of users and developers is at the core of Google Play. When we find apps that violate our policies, we take appropriate action,” Google said in a statement.
The sources for this piece include an article in BleepingComputer.