A new malware called ‘Goldoson’ has been discovered in Google Play store, posing a threat to over 10 crore Android users. The malware was identified by McAfee’s research team and is capable of collecting sensitive data from users’ devices, including installed apps, WiFi and Bluetooth-connected devices, and GPS locations.
Contents
60 Legitimate Apps Infected with Goldoson Malware
The Goldoson malware has been found in 60 legitimate apps on the Google Play store, including popular ones such as Swipe Brick Breaker, Money Manager Expense & Budget, and L.POINT with L.PAY, which have more than 10 million downloads each.
Data Collection and Ad Fraud Capabilities of Goldoson Malware
The Goldoson malware is capable of collecting a wide range of sensitive data from infected devices. According to the report, it can gather information on the user’s installed apps, WiFi and Bluetooth-connected devices, and GPS locations. In addition, the malware can perform ad fraud by clicking ads in the background without the user’s consent.
Inadvertent Inclusion of Goldoson Malware in Third-Party Library
The Goldoson malware was inadvertently incorporated into a third-party library by the app developers, as per the report by BleepingComputer. When a user runs an app that contains Goldoson, the library registers the device and obtains its configuration from a remote server that is obfuscated.
Data Collection Mechanism and Frequency of Goldoson Malware
The setup of Goldoson specifies the data-stealing and ad-clicking functions it should perform on the infected device and how frequently. The data collection mechanism is commonly set to activate every two days, transmitting a list of installed apps, geographical position history, MAC addresses of devices connected via Bluetooth and WiFi, and other information to the C2 server.
Impact on Different Android Versions and Permissions
The amount of data collected by Goldoson is determined by the permissions granted to the infected app during installation and the Android version. Although devices with Android 11 or newer versions are better protected against arbitrary data collection, researchers discovered that Goldoson had enough rights to acquire sensitive data in 10 percent of the apps even in newer versions of the OS.
Ad Income Generation and Stealthy Execution of Goldoson Malware
Goldoson generates ad income by loading HTML code and injecting it into a customized, hidden WebView, and then using it to execute numerous URL visits. The victim’s device does not show any indication of this action, making the malware stealthy in its operation.
