A new malicious Android malware known as “Goldoson” has infiltrated the Google Play Store, infecting 60 apps with a total of 100 million downloads. The malicious component is part of a third-party library used by all sixty apps, which creators have inadvertently included in their applications. Popular apps affected by this malware include L.POINT with L.PAY, Swipe Brick Breaker, and Money Manager Expense & Budget, each of which contributes 10 million downloads to the total number.
Goldoson can collect data about installed apps, WiFi and Bluetooth connected devices, and the user’s GPS location. Additionally, it can commit ad fraud by clicking ads in the background without the user’s knowledge.
The McAfee research team discovered the malware and informed Google of the threat. Google then notified the developers, who removed the malicious library from the affected apps. Those who didn’t respond in time had their apps removed from Google Play for violating the store’s standards.
Users who have downloaded an affected app from Google Play can mitigate the risk by installing the latest available update. However, Goldoson is also listed in third-party Android app stores, which may still contain the library. Signs of infection include an abnormally hot device, quickly draining battery, or unusually high internet or data usage, even when the device is not in use.
When a user uses a Goldoson-containing app, the library registers the device and obtains the configuration from an encrypted remote server. The configuration dictates the data-stealing and ad-clicking functions Goldoson should run on the infected device and how often. Every two days, the data collection mechanism starts, sending a list of installed apps, geographic location history, MAC addresses of Bluetooth and WiFi connected devices, and other information to the C2 server. The amount of data collected is determined by the permissions granted to the infected app during installation and by the Android version.