The Mobile Research Team at McAfee came upon a software library that they have dubbed Goldoson. Goldoson compiles lists of apps that have been loaded, as well as a history of information about Wi-Fi and Bluetooth devices, which includes information regarding nearby GPS coordinates. In addition to this, the library is outfitted with the capability to commit advertising fraud by clicking on banner ads in the background without the knowledge or agreement of the user. The research team discovered more than 60 programs that included this harmful third-party library, and there have been more than 100 million verified downloads of these applications in the ONE store and Google Play app download marketplaces in South Korea. Even if the malicious library was developed by a third party and not by the app’s original authors, the installers of the programs are still at danger. This setup determines the operations that the malware will perform on the device, such as those that collect data and click on advertisements when they are shown. Every other day, the data collecting function is kicked into gear, and the information that is gathered, together with the MAC addresses of any Bluetooth or Wi-Fi devices that are currently connected, is sent to a C2 server.
The ad-clicking capability is activated by loading and injecting HTML code into a secret WebView that has been modified. This function brings in money by generating several visitors to different URLs.
The malicious software may steal data not only from the device itself but also from other Bluetooth and Wi-Fi devices that are linked to it. In addition to this, it has the ability to monitor the position of users and commit ad fraud by clicking on advertisements in the background without the user being aware of it. The permissions that are granted to an infected app when it is installed are what are used for data collecting.
Researchers from McAfee claimed in a blog post that while Android versions 11 and above are normally regarded secure against data theft owing to their stronger security safeguards, Goldoson could capture sensitive data from smartphones running these versions in 10% of the infected applications. This is despite the fact that Android versions 11 and above are generally considered safe against data theft.
It has been stated that Google has informed the app developers that their apps violate Google Play’s regulations and that necessary changes must be made to bring them into conformity. While the official developers of other apps changed their versions, several applications had to be deleted from Google Play. Users are strongly recommended to upgrade their app versions to the most recent available ones in order to rid their devices of the discovered danger.
It is important to keep in mind that malicious versions of these applications will still be made accessible on third-party Android app stores even after an update makes it possible for these apps to be downloaded through the Play Store without risk. Therefore, you should remove the program from your device and then reinstall it from the Play Store.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.