Goldoson Android Malware Infects Over 100 Million Google Play Store Downloads
A new Android malware strain named Goldoson has been detected in the official Google Play Store which includes more than 60 official apps which collectively have more than 100 million downloads.
Eight million additional installations were tracked through ONE store, South Korea’s leading third-party app storefront.
Rogue components are part of a library of third-party software used by the application in question and are capable of gathering information about installed applications, connected Wi-Fi and Bluetooth devices, and GPS location.
“In addition, the library is armed with functionality to commit ad fraud by clicking ads in the background without user consent,” McAfee security researcher SangRyol Ryu said in a report published last week.
What’s more, it includes the ability to silently load web pages, a feature that can be abused to load ads for financial gain. This is achieved by loading the HTML code in a hidden way WebView and direct traffic to the URL.
Following responsible disclosure to Google, 36 out of 63 infringing apps have been pulled from the Google Play Store. The remaining 27 apps have been updated to remove malicious libraries.
Some of the notable apps include –
- L. POINT with L. PAY
- Swipe Brick Breaker (removed)
- Money Manager Expenses & Budgets
- TMAP – Delegation, parking, electric vehicle charging, kickboard on T-map!
- Lotte Cinema
- Music Genie – genie
- Cultural Land (Cultural Cash)
- GO player
- Megabox (deleted), and
- LIVE Score, Real Time Score
The findings highlight the need for application developers to be transparent about the dependencies used in their software, not to mention taking adequate steps to protect user information from such misuse.
“Attackers are becoming more sophisticated in their attempts to infect legitimate applications across platforms,” said Kern Smith, vice president of sales engineering for Americas at Zimperium.
“Use of third-party SDKs and code, and their potential to inject malicious code into legitimate applications only continues to grow as attackers begin to target the software supply chain for the largest possible footprint.”
Master the Art of Dark Web Intelligence Gathering
Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!
The development comes as Cyble unveils a new Android banking trojan dubbed Chameleon active since January 2023 and targets users in Australia and Poland.
This Trojan is no different from any other banking malware seen in the wild as it abuses Android’s accessibility services to retrieve credentials and cookies, logs keystrokes, prevents their uninstallation, and performs other malicious activity.
It’s also designed to display malicious overlays over certain app lists, intercept SMS messages, and even consist of an unused function that allows it to download and run other payloads.
Chameleon, true to its name, has a tendency to circumvent it by incorporating anti-emulation checks to detect whether the device is rooted or running in a debug environment, and if so, terminate itself.
To mitigate these threats, users are advised to only download apps from trusted sources, check app permissions, use strong passwords, enable multi-factor authentication, and be careful when receiving SMS or emails from unknown senders.
