The malicious Goldoson app was downloaded more than 100 million times from the Google Play Store, causing an Android-based malware outbreak.
Cybersecurity researchers recently identified a malicious Android strain called Goldoson, which has infiltrated more than 60 applications on the official Google Play Store. The apps have been downloaded the staggering 100 million times.
The same malware has been downloaded an additional eight million times through ONE store, a popular third-party app provider in South Korea. Goldoson has the capacity to harvest data from installed apps, Wi-Fi and Bluetooth-connected gadgets, and GPS locations.
How Was Goldoson Uncovered?
McAfee’s Mobile Research Team identified a software library, named Goldoson, which gathers lists of installed applications, as well as a history of Wi-Fi and Bluetooth devices data, inclusive of close by GPS locations. Furthermore, the library has the capability to initiate ad fraud by clicking on ads in the background without the user’s consent.
The research team uncovered more than 60 apps with this third-party malicious library, with a total of 100 million downloads on the ONE store and Google Play app download markets in South Korea. Although the malicious library was created by an external party, not the app developers, the risk to those who have installed the apps remains.
How Does Goldoson Infect Android Users?
The Goldoson library simultaneously registers the device and obtains remote configurations when the app is launched. The name of the library and the domain of the remote server fluctuate for each app, and is encrypted. The moniker “Goldoson” is derived from the first discovered domain name, McAfee’s team said.
The remote configuration holds details for each feature and the frequency of the components. The library draws the device information based on the parameters, then transmits it to a remote server. Tags like ‘ads_enable’ and ‘collect_enable’ signal to the system which functions to activate or deactivate, with further parameters dictating conditions and availability.
The library has the capacity to load web pages without the user’s knowledge, which can be utilized to bring in financial gain by displaying ads. It works by injecting HTML code into a discreet WebView and recursively visiting URLs, thus creating hidden traffic.
Google Play has seen more than 100 million downloads of contaminated apps, and Korea’s premier app store trails not far behind with approximately 8 million installations.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: