McAfee Research Team, a Google App Defence Alliance member, has discovered a new Android malware named Goldoson. The malware component is part of a third-party library used unknowingly by the developers of the infected sixty apps. The research team reported that Goldoson could collect data on the installed apps, WiFi/Bluetooth-connected devices, and the user’s GPS locations.
The infected sixty apps, which have garnered a total of 100 million downloads, include: L.POINT with L.PAY, Swipe Brick Breaker, Money Manager Expense & Budget, GOM Player, LIVE Score, Real-Time Score, Pikicast, Compass 9: Smart Compass, GOM Audio, LOTTE WORLD Magicpass, Bounce Brick Breaker, Infinite Slice, SomNote - Beautiful note App and Korea Subway Info: Metroid.
Further analysis by the McAfee research team shows that Goldoson library registers the device where the infected app is running and receives its configuration from a remote server whose domain is obfuscated. The configuration contains parameters that set which data-stealing and ad-clicking functions Goldoson should run on the infected device and how often. The level of data collection depends on the permissions granted to the infected app during its installation and the Android version.
Android 11 and above are protected from arbitrary data collection; however, McAfee found that even in recent versions of the OS, Goldoson had enough permission to gather sensitive data in 10% of the apps. The unique nature of the malware is that the victims do not see any indication of it running on their devices.
Google and the developers of the infected app have already been informed about this update. The developers have removed the offending library, and those that didn't respond on time had their apps removed from Google Play. Users who installed the infected app were advised to apply the latest available update provided by the app developers. Google assures its users of their commitment to ensuring their safety and urges developers to adhere to its policies.