In an ideal world, every app you download from the Play Store would be perfectly safe. After all, Google has strict rules and regulations to weed out any apps that may try to harm potential users. Unfortunately, we don’t live in an ideal world, and malware makes it way onto official marketplaces every day. The latest example involves dozens of apps, downloaded millions of times, unbeknownst to both the users and the developers alike.
Goldoson malware is far reaching
McAfee’s Mobile Research Team discovered a new malicious library they identify as “Goldoson,” which made its way onto Google’s Play Store and South Korea’s ONE Store through 60 approved apps. All in, Goldoson apps were downloaded 100 million times, with three apps downloaded 10 million times each. Bleeping Computer highlighted 13 of the most popular apps that were affected in this malware breach:
- L.POINT with L.PAY: 10 million downloads
- Swipe Brick Breaker: 10 million downloads
- Money Manager Expense & Budget: 10 million downloads
- GOM Player: 5 million downloads
- LIVE Score, Real-Time Score: 5 million downloads
- Pikicast: 5 million downloads
- Compass 9: Smart Compass: 1 million downloads
- GOM Audio – Music, Sync lyrics: 1 million downloads
- LOTTE WORLD Magicpass: 1 million downloads
- Bounce Brick Breaker: 1 million downloads
- Infinite Slice: 1 million downloads
- SomNote – Beautiful note app: 1 million downloads
- Korea Subway Info: Metroid: 1 million downloads
Unlike past malware app discoveries, however, the developers of these 60 apps were not knowingly complicit. Their apps were legitimate, but they relied on a third-party library that contained the Goldoson malware.
How Goldoson works
Thanks to McAfee’s research, we know Goldoson collects lists of apps you install on your device, as well as a log of wifi networks, Bluetooth connections, and GPS locations. The library only has access to this information if you grant it, but since there was nothing suspicious about the apps in the first place, those permissions may have been granted. The library can then click ads in the background without your knowledge, racking up profits in an act of ad fraud.
When you install an app that communicates with the Goldoson library, it registers your device and begins communicating with the server. The server then dictates how often Goldoson should click ads or steal your data. This usually runs every two days, which then sends a full list of whatever apps, location history, device count, and network connections it has picked up in that time.
Update or delete these apps ASAP
According to McAfee’s list, all of these apps have either been updated or removed from the Play Store at this time. That means you need to be proactive: Take a look at the list of apps on McAfee’s report and see if you have any on your Android device. If so, take note which apps have been updated, and which have been removed. If there’s an update available, install it ASAP. However, if the app is no longer on the Play Store, delete it immediately. Google may have removed the app from the Play Store, but it won’t affect the app’s placement on your device.