adenine newfangled android malware mention ‘Goldoson ‘ receive infiltrate google play through sixty legalize apps that jointly own hundred million download .
The malicious malware component be separate of a third-party library use by all sixty apps that the developer unwittingly add to their apps .
some of the impacted apps be :
- L.POINT with L.PAY – 10 million downloads
- Swipe Brick Breaker – 10 million downloads
- Money Manager Expense & Budget – 10 million downloads
- GOM Player – 5 million downloads
- LIVE Score, Real-Time Score – 5 million downloads
- Pikicast – 5 million downloads
- Compass 9: Smart Compass – 1 million downloads
- GOM Audio – Music, Sync lyrics – 1 million downloads
- LOTTE WORLD Magicpass – 1 million downloads
- Bounce Brick Breaker – 1 million downloads
- Infinite Slice – 1 million downloads
- SomNote – Beautiful note app – 1 million downloads
- Korea Subway Info: Metroid – 1 million downloads
harmonize to McAfee ‘s research team, which identify Goldoson, the malware toilet collect datum along install apps, wireless local area network and Bluetooth-connected devices, and the drug user ‘s global positioning system location .
additionally, information technology can perform ad fraud aside click ad in the background without the drug user ‘s accept .Stealing data from Android devices
When the exploiter establish associate in nursing app that hold Goldoson, the library register the device and welcome information technology shape from a remote control server whose sphere be obfuscate .
The shape check parameter that set which data-stealing and ad-clicking function Goldoson should run on the infect device and how often .
Goldoson configuration (McAfee) The datum collection officiate be typically typeset to activate every two day, send to the C2 server ampere list of install apps, geographic location history, macintosh address of device connect over Bluetooth and wireless local area network, and more .
JSON request that exfiltrates data (McAfee) The degree of data collection count on the license allow to the infect app during information technology facility and the android translation. android eleven and above be better protected against arbitrary data solicitation ; however, McAfee rule that even in late translation of the o, Goldoson have adequate license to gather sensible data in ten % of the apps .
The ad-clicking function bring place by load hypertext markup language code and inject information technology into a customize, hide WebView, and then practice that to perform multiple url visit, generate ad tax income.Read more : Google Drive – Wikipedia
The victim do not see any indication of this activeness on their device .
Goldoson’s ad-clicking activity (McAfee) Library removed, but risk still there
McAfee embody a google App defense alliance member that help keep google play clean from malware/adware threat. equally such, the research worker inform google about information technology findings, and the developer of the impacted apps be alarm consequently .
many of the moved apps be clean aside their developer, world health organization distant the transgress library, and those that do n’t respond indium time take their apps remove from google play for non-compliance with the store ‘s policy .
google confirm the action to BleepingComputer, submit that the apps rape google play policy .
“ The safety of user and developer be at the core of google dally. When we line up apps that desecrate our policy, we accept appropriate military action, ” google state BleepingComputer .
“ We have advise the developer that their apps are in trespass of google turn policy and specify be needed to come into complaisance. ”Read more : Google Drive – Wikipedia
drug user world health organization install associate in nursing impact app from google play buttocks rectify the risk by apply the latest available update .
however, Goldoson exist on third-party android app store besides, and the opportunity of those still harbor the malicious library be high .
common sign of adware and malware infection include device heat up, battery enfeeble cursorily, and unusually high internet datum custom even when the device be not indiana function .