New Android malicious library Goldoson found in 60 apps +100M downloads

A new Android malware named Goldoson was distributed through 60 legitimate apps on the official Google Play store.

The Goldoson library was discovered by researchers from McAfee’s Mobile Research Team, it collects lists of applications installed on a device, and a history of Wi-Fi and Bluetooth devices information, including nearby GPS locations. The third-party library can perform ad fraud by clicking advertisements in the background without the user’s consent. The experts have found more than 60 applications in Google Play that were containing the malicious library. The apps totaled more than 100 million downloads in the ONE store and Google Play stores in South Korea. 

It is important to highlight that the library was not developed by the authors of the apps. 

The security firm reported its findings to Google, which notified the development teams. Some apps were updated by removing the malicious library, while other apps were removed from Google Play.  

Below is the list of the apps using the malicious library that had the highest number of downloads:

Package Name	Application Name	GooglePlay Downloads	GP Status
com.lottemembers.android	L.POINT with L.PAY	10M+	Updated*
com.Monthly23.SwipeBrickBreaker	Swipe Brick Breaker	10M+	Removed**
com.realbyteapps.moneymanagerfree	Money Manager Expense & Budget	10M+	Updated*
com.skt.tmap.ku	TMAP – 대리,주차,전기차 충전,킥보 …	10M+	Updated*
kr.co.lottecinema.lcm	롯데시네마	10M+	Updated*
com.ktmusic.geniemusic	지니뮤직 – genie	10M+	Updated*
com.cultureland.ver2	컬쳐랜드[컬쳐캐쉬]	5M+	Updated*
com.gretech.gomplayerko	GOM Player	5M+	Updated*
com.megabox.mop	메가박스(Megabox)	5M+	Removed**
kr.co.psynet	LIVE Score, Real-Time Score	5M+	Updated*
sixclk.newpiki	Pikicast	5M+	Removed**

Upon executing one of the above apps, the Goldoson library registers the device and gets configurations from a remote server. 

“Remote configuration contains the parameters for each of functionalities and it specifies how often it runs the components. Based on the parameters, the library periodically checks, pulls device information, and sends them to the remote servers.” reads the analysis published by the security firm. “The tags such as ‘ads_enable’ or ‘collect_enable’ indicates each functionality to work or not while other parameters define conditions and availability.”

The library can load web pages without user awareness, this means that the malware can load ads for financial profit. 

The collected data is sent to the C2 server every two days, but the cycle depends on the remote configuration.

The level of data collection depends on the permissions granted to the app using the malicious library. McAfee discovered that even in recent Android versions, Goldoson was able to gather sensitive data in 10% of the apps.

“As applications continue to scale in size and leverage additional external libraries, it is important to understand their behavior. App developers should be upfront about libraries used and take precautions to protect users’ information.” concludes the report.

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

• The Teacher – Most Educational Blog
• The Entertainer – Most Entertaining Blog
• The Tech Whizz – Best Technical Blog
• Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Siemens Metaverse)