New Android malicious library Goldoson found in 60 apps +100M downloads

Pierluigi Paganini April 15, 2023

A new Android malware named Goldoson was distributed through 60 legitimate apps on the official Google Play store.

The Goldoson library was discovered by researchers from McAfee’s Mobile Research Team, it collects lists of applications installed on a device, and a history of Wi-Fi and Bluetooth devices information, including nearby GPS locations. The third-party library can perform ad fraud by clicking advertisements in the background without the user’s consent. The experts have found more than 60 applications in Google Play that were containing the malicious library. The apps totaled more than 100 million downloads in the ONE store and Google Play stores in South Korea. 

It is important to highlight that the library was not developed by the authors of the apps. 

The security firm reported its findings to Google, which notified the development teams. Some apps were updated by removing the malicious library, while other apps were removed from Google Play.  

Below is the list of the apps using the malicious library that had the highest number of downloads:

Package Name Application Name GooglePlay Downloads GP
Status 
com.lottemembers.android L.POINT with L.PAY 10M+  Updated* 
com.Monthly23.SwipeBrickBreaker Swipe Brick Breaker 10M+ Removed** 
com.realbyteapps.moneymanagerfree Money Manager Expense & Budget 10M+ Updated* 
com.skt.tmap.ku TMAP – 대리,주차,전기차 충전,킥보 … 10M+ Updated* 
kr.co.lottecinema.lcm 롯데시네마 10M+ Updated* 
com.ktmusic.geniemusic 지니뮤직 – genie 10M+ Updated* 
com.cultureland.ver2 컬쳐랜드[컬쳐캐쉬] 5M+ Updated* 
com.gretech.gomplayerko GOM Player 5M+ Updated* 
com.megabox.mop 메가박스(Megabox) 5M+ Removed** 
kr.co.psynet LIVE Score, Real-Time Score 5M+ Updated* 
sixclk.newpiki Pikicast 5M+ Removed**

Upon executing one of the above apps, the Goldoson library registers the device and gets configurations from a remote server. 

“Remote configuration contains the parameters for each of functionalities and it specifies how often it runs the components. Based on the parameters, the library periodically checks, pulls device information, and sends them to the remote servers.” reads the analysis published by the security firm. “The tags such as ‘ads_enable’ or ‘collect_enable’ indicates each functionality to work or not while other parameters define conditions and availability.”

The library can load web pages without user awareness, this means that the malware can load ads for financial profit. 

Goldoson

The collected data is sent to the C2 server every two days, but the cycle depends on the remote configuration.

The level of data collection depends on the permissions granted to the app using the malicious library. McAfee discovered that even in recent Android versions, Goldoson was able to gather sensitive data in 10% of the apps.

“As applications continue to scale in size and leverage additional external libraries, it is important to understand their behavior. App developers should be upfront about libraries used and take precautions to protect users’ information.” concludes the report.

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

  • The Teacher – Most Educational Blog
  • The Entertainer – Most Entertaining Blog
  • The Tech Whizz – Best Technical Blog
  • Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Siemens Metaverse)



you might also like

leave a comment