Photo by Rafapress / Shutterstock.com
A new Android malware dubbed Goldoson has been found to have infected more than 60 apps hosted on the Google Play Store. These apps have over 100 million downloads collectively, in addition to another eight million installations from the One store, a leading third-party app store in South Korea.
While the affected apps themselves are legitimate, the infectious part belongs to a third-party library used by the developers that’s capable of extracting information from the target device including a list of installed apps, GPS location as well as WiFi and Bluetooth device history from the compromised device.
The library was discovered by McAfee’s Mobile Research Team which also pointed out that the library can perform ad fraud by clicking advertisements in the background without the user’s consent. Goldoson does this by loading HTML code and injecting it into a customised, hidden webview which produces hidden traffic by visiting URLs recursively. The result is that the user has no idea that their device is being used to interact with ads online.
As for the collected data, it’s sent out periodically every two days. That said, this cycle can be changed remotely to avoid suspicion. As mentioned before, the information extracted can include a list of installed apps, location history and WiFi and Bluetooth MAC addresses among other vital pieces of information that might be used to identify individuals. The data is extracted in JSON format.
Finally, the library registers the device and gets remote configurations at the same that the app runs for the first time on a device. It’s name and remote server domain both change with each app and are obfuscated to prevent detection.
McAfee’s report contains a full list of all affected apps found. Thankfully, all of the apps have either been removed from the Play Store or have been updated to exclude the malicious library. The top six apps included in the list all have over 10 million downloads, with multiple apps coming in with over five million or lower download numbers.