Advisory ID: NCC-CSIRT-180423-019
Summary: A New Android malware named 'Goldoson' has infiltrated Google Play through 60 legitimate apps that collectively have 100 million downloads. The Android malware, discovered by McAfee's research team, is capable of collecting a range of sensitive data, including information on the user's installed apps, WiFi and Bluetooth-connected devices, and GPS locations Additionally, it can perform ad fraud by clicking ads in the background without the user's consent.
Vulnerable Platform(s): Android Operating Systems
Threat Type: Malware
Product : Google Play Store Applications
Version: All Versions
Description:
The malicious malware component is part of a third-party library used by all sixty apps that the developers unknowingly added to their apps. When a user runs a Goldoson-containing app, the library registers the device and obtains its configuration from an obfuscated remote server. The configuration contains parameters that set which data-stealing and ad-clicking functions Goldoson should run on the infected device and how often.The data collection mechanism is commonly set to activate every two days, transmitting a list of installed apps, geographical position history, MAC addresses of devices connected via Bluetooth and WiFi, and other information to the C2 server. The amount of data collected is determined by the permissions granted to the infected app during installation as well as the Android version.
Some of the impacted apps are:
- L.POINT with L.PAY - 10 million downloads
- Swipe Brick Breaker - 10 million downloads
- Money Manager Expense & Budget - 10 million downloads
- GOM Player - 5 million downloads
- LIVE Score, Real-Time Score - 5 million downloads
- Pikicast - 5 million downloads
- Compass 9: Smart Compass - 1 million downloads
- GOM Audio - Music, Sync lyrics - 1 million downloads
- LOTTE WORLD Magicpass - 1 million downloads
- Bounce Brick Breaker - 1 million downloads
- Infinite Slice - 1 million downloads
- SomNote - Beautiful note app - 1 million downloads
- Korea Subway Info: Metroid - 1 million downloads
Consquences: Stealing of Sensitive Data and Performing Ad fraud by clicking ads in the background without the user's consent
Impact/Probability: HIGH/HIGH
Solution :
- Users are to update their applications with latest Security Patches.
- Users should install anti-malware software to routinely scan their devices for malware.
- Users should always download applications from official sites and application stores. (Avoid downloading Apps from third-party Android App store).
References:
https://www.bleepingcomputer.com/news/security/android-malware-infiltrates-60-google-play-apps-with-100m-installs/
https://malwaretips.com/threads/android-malware-infiltrates-60-google-play-apps-with-100m-installs.122573/
https://www.business-standard.com/amp/companies/news/android-malware-infects-60-google-play-apps-with-100-million-downloads-123041700123_1.html