Ideally, every app you download from the Play Store is absolutely safe. After all, Google has strict rules and regulations to remove any app that might try to harm potential users. Unfortunately, we don’t live in an ideal world, and malware is entering the official marketplace every day. The latest example involves dozens of apps, downloaded millions of times, unbeknownst to users and developers.
Goldoson malware has far-reaching implications
McAfee’s mobile research team discovered a new malicious library, which they identified as “Goldoson,” that made its way into Google’s Play Store and South Korea’s ONE Store through 60 approved apps. Bleeping Computer highlights 13 of the most popular applications affected by this malware intrusion:
L.POINT and L.PAY: 10 million downloads
Bricklayer: 10 million downloads
Money Manager Expense & Budget: 10 million downloads
GOM Player: 5 million downloads
LIVE Score, live score: 5 million downloads
Pikicast: 5 million downloads
Compass 9: Smart Compass: 1,000,000 downloads
GOM Audio – music, synchronized lyrics: 1 million downloads
Rakuten World Magicpass: 1,000,000 downloads
Bounce Brick Breaker:1,000,000 downloads
Infinite Slice: 1 million downloads
SomNote – nice note taking app: 1 million downloads
Korea Metro Info: Galaxy Warrior: 1 million downloads
However, unlike malware apps found in the past, the developers of these 60 apps are not intentionally colluding. Their apps are legitimate, but they rely on a third-party library that contains Goldoson malware.
How Goldoson works
Thanks to McAfee’s research, we know that Goldoson collects a list of apps you have installed on your device, as well as logs of your wifi network, Bluetooth connection, and GPS location. The library can only access this information if you grant permissions, but since there aren’t any suspicious apps to begin with, those permissions may have been granted. The library can then profit from ad fraud by clicking on ads in the background without your knowledge.
When you install an application that communicates with the Goldoson library, it registers your device and starts communicating with the server. The server then decides how often Goldoson should click on ads or steal your data. This usually runs every two days and then sends a complete list of all apps, location history, number of devices and network connections fetched during that time period.
Update or delete these apps as soon as possible
According to McAfee’s list, all of these apps have been updated or removed from the Play Store at this time. This means you need to be proactive: check the list of apps in the McAfee report to see if you have any on your Android device. If so, make a note of which apps have been updated and which have been removed. If there are updates available, install them as soon as possible. However, if the app no longer exists in the Play Store, remove it immediately. Google may have removed the app from the Play Store, but this will not affect the location of the app on your device.
