A new Android malware called Goldoson has recently been discovered in more than 60 legitimate apps on the official Google Play Store, with these apps collectively reaching over 100 million downloads. Additionally, the malware has infected eight million installations through ONE store, a popular third-party app storefront in South Korea.
The Goldoson threat: Stealthy ad fraud and information gathering
The malicious component of Goldoson is part of a third-party software library used by the affected apps. This malware is capable of gathering information about installed apps, Wi-Fi and Bluetooth-connected devices, and GPS locations. According to McAfee security researcher SangRyol Ryu, the library also contains functionality that enables it to perform ad fraud by clicking advertisements in the background without the user’s consent.
Furthermore, Goldoson can secretly load web pages, a feature that can be exploited to display ads for financial gain. It does this by loading HTML code in a hidden WebView and directing traffic to specific URLs.
Google takes action: Removal and updates
After responsible disclosure to Google, 36 of the 63 offending apps have been removed from the Google Play Store, while the remaining 27 apps have been updated to eliminate the malicious library.
Goldoson affected numerous apps. These include L.POINT with L.PAY, Money Manager Expense & Budget, and 롯데시네마. 지니뮤직 – genie and GOM Player were also impacted. Swipe Brick Breaker and 메가박스 were removed due to the malware. LIVE Score, Real-Time Score was another victim.
App developers must be transparent about the dependencies used in their software and take adequate steps to protect users’ information against abuse.
Kern Smith from Zimperium states that attackers grow more sophisticated in targeting legitimate applications.
He advises users to download apps from trusted sources, check app permissions, and use strong passwords. Additionally, users should enable multi-factor authentication and be cautious with unknown SMS or emails.
{{user}} {{datetime}}
{{text}}