Goldoson Malware Found in Dozens of Google Play Store Apps

Written by

Security researchers have discovered a new malicious software library capable of collecting lists of installed applications, a history of Wi-Fi and Bluetooth device information as well as nearby GPS location data.

Dubbed Goldoson by McAfee’s Mobile Research Team, the library can also load web pages without user awareness and perform advertisement fraud by clicking on ad links in the background without the victim’s consent.

“The research team has found more than 60 applications containing this third-party malicious library, with more than 100 million downloads confirmed in the ONE store and Google Play app download markets in South Korea,” wrote McAfee’s SangRyol Ryu. “While the malicious library was made by someone else, not the app developers, the risk to installers of the apps remains.”

Read more on mobile threats here: Unapproved Apps Used By 32% of Remote Workers

From a technical standpoint, the Goldoson library registers the device and gets remote configurations while the app runs.

“The library name and the remote server domain vary with each application and are obfuscated. The name Goldoson is after the first found domain name,” Ryu explained.

Further, remote configuration contains the parameters for each functionality, specifying how often it runs the components.

“Based on the parameters, the library periodically checks, pulls device information, and sends them to the remote servers,” reads the advisory. For instance, collected data is sent out every two days by default, but the cycle can be changed by the remote configuration.

The McAfee team said it notified Google of the malicious apps. As a result of the disclosure, some apps were removed from Google Play while others were updated by the official developers.

“As applications continue to scale in size and leverage additional external libraries, it is important to understand their behavior,” Ryu concluded. “App developers should be upfront about libraries used and take precautions to protect users’ information.”

The Goldoson library disclosure comes a couple of months after Kaspersky security researchers announced the discovery of 196,476 new mobile banking Trojan installers in 2022, doubling the number observed in 2021.

What’s hot on Infosecurity Magazine?