Goldoson Android Malware Infects Over 100 Million Google Play Store Downloads

Goldoson Android Malware Infects Over 100 Million Google Play Store Downloads

A new Android malware epidemic named Goldoson has been found in the official Google Play Store covering more than 60 genuine apps that collectively have over 100 million downloads.

An extra eight million installations have been recorded through ONE shop, a popular third-party software marketplace in South Korea.

ALSO, READ Gmail and Google Calendar Now Support Client-Side Encryption (CSE) to Boost Data Privacy

The rogue component is part of a third-party software library utilized by the apps in question and is capable of obtaining information about installed programs, Wi-Fi and Bluetooth-connected devices, and GPS positions.

“Moreover, the library is armed with the functionality to perform ad fraud by clicking advertisements in the background without the user’s consent,” McAfee security researcher SangRyol Ryu said in a paper published last week.

Goldoson Android Malware Infects Over 100 Million Google Play Store Downloads

What’s more, it includes the ability to stealthily load web pages, a feature that could be abused to load ads for financial profit. It achieves this by loading HTML code in a hidden WebView and driving traffic to the URLs.

Following responsible disclosure to Google, 36 of the 63 offending apps have been pulled from the Google Play Store. The remaining 27 apps have been updated to remove the malicious library.

Some of the prominent apps include –

• L.POINT with L.PAY
• Swipe Brick Breaker (removed)
• Money Manager Expense & Budget
• TMAP – 대리,주차,전기차 충전,킥보드를 티맵에서!
• 롯데시네마
• 지니뮤직 – genie
• 컬쳐랜드[컬쳐캐쉬]
• GOM Player
• 메가박스 (removed), and
• LIVE Score, Real-Time Score

Goldoson Android Malware Infects Over 100 Million Google Play Store Downloads

The findings highlight the need for app developers to be transparent about the dependencies used in their software, not to mention take adequate steps to safeguard users’ information against such abuse.

“Attackers are becoming more sophisticated in their attempts to infect otherwise legitimate applications across platforms,” Kern Smith, vice president of sales engineering for the Americas at Zimperium, said.

“The use of third-party SDKs and code, and their potential to introduce malicious code into otherwise legitimate applications is only continuing to grow as attackers start to target the software supply chain to gain the largest footprint possible.”

ALSO, READ These Android Apps With A Million Play Store Installations Redirect Users To Malicious Sites

A new Android banking virus, codenamed Chameleon, has been active since January 2023, with a particular focus on customers in Australia and Poland. The infection was just unveiled by security firm Cyble.

The virus uses Android’s accessibility services to steal credentials and cookies, log keystrokes, delay its uninstallation, and do other malicious actions, making it no different from other banking malware found in the wild.

Goldoson Android Malware Infects Over 100 Million Google Play Store Downloads

In addition to intercepting SMS messages and displaying malicious overlays over a selected set of apps, it also includes the capability to download and run a second payload, which is currently disabled.

True to its name, Chameleon likes to hide, therefore it includes anti-emulation checks that trigger an exit if the device is rooted if the code is being run in a debugging environment.

ALSO, READ Hackers Sign Android Malware Apps with Compromised Platform Certificates

To mitigate such threats, users are recommended to only download apps from trusted sources, scrutinize app permissions, use strong passwords, enable multi-factor authentication, and exercise caution when receiving SMS or emails from unknown senders.