2 min Security

Goldoson malware infiltrates 60 Google Play apps

Goldoson malware infiltrates 60 Google Play apps

A new malicious Android malware known as “Goldoson” has infiltrated the Google Play Store, infecting 60 apps with a total of 100 million downloads.

The harmful Goldoson component is part of a third-party library which all sixty apps use this and that creators unintentionally included in their applications. L.POINT with L.PAY, Swipe Brick Breaker, and Money Manager Expense & Budget are among the most popular apps affected by this malware. Each of these contributes 10 million downloads to the total figure.

The malware can collect data about installed apps, WiFi and Bluetooth-connected devices, and the user’s GPS location. More than that, Goldoson can also commit ad fraud by clicking adverts in the background without the user’s knowledge.

Read Also: Google has a new policy for Google Play Store data deletion

Not in the safe zone yet

This is according to McAfee’s research team, which discovered the malware and informed Google of the threat. McAfee is a Google App Defense Alliance member that works to keep Google Play free of viruses and spyware.

Google notified the developers, who removed the harmful library from the affected apps. Those who did not answer in time had their apps deleted from Google Play for violating the store’s standards.

Users who downloaded an impacted app from Google Play can mitigate the risk by installing the most recent available update. However, even if users take these precautions, Goldoson is also in third-party Android app stores. The chances of them still including the library are high.

Users can know if malware infected their device if it heats up abnormally, has quick battery drainage or have unusually high internet or data usage − even when the device is not in use.

How does it work?

When a user runs a Goldoson-containing app, the library registers the device and obtains its configuration from an encrypted remote server. The setup dictates the data-stealing and ad-clicking functions Goldoson should do on the infected device and how frequently.

Every two days, the data collecting mechanism kicks in. It then transmits a list of installed apps, geographical location history, MAC addresses of devices connected via Bluetooth and WiFi, and other information to the C2 server. The amount of data collected is determined by the permissions granted to the infected app during installation as well as the Android version.