You are here
The amount of data collected is determined by the permissions granted to the infected app during installation as well as the Android version.News 

Android malware infects 60+ Google Play apps with 100 million downloads

Adriana Marais , , , ,

A new Android malware called “Goldoson” has infiltrated Google Play and has been found in 60 legitimate apps with a total of 100 million downloads.

The malicious malware component is integrated into a third-party library that developers accidentally included in all sixty apps, reports BleepingComputer.

The Android malware discovered by McAfee’s research team is capable of collecting a variety of sensitive information, such as information about a user’s installed apps, WiFi and Bluetooth devices, and GPS locations.

According to the report, it can also commit ad fraud by clicking ads in the background without the user’s consent.

When a user runs an application containing Goldoson, the library registers the device and retrieves its configuration from an obscure remote server.

The settings specify which data-stealing and ad-clicking action Goldson should perform on the infected device and how often.

Infected Apps

  1. L.POINT with L.PAY (10M+) Updated
  2. Swipe Brick Breaker (10M+) Removed
  3. Money Manager Expense & Budget (10M+) Updated
  4. TMAP (10M+) Updated
  5. Lotte Cinema (10M+) Updated
  6. Genie Music (10M+) Updated
  7. Cultureland version 2 (5M+) Updated
  8. GOM Player (5M+) Updated
  9. Megabox (5M+) Removed
  10. LIVE Score Real-Time score 5M+Updated
  11. Pikicast (5M+) Removed
  12. Compass 9: Smart Compass (1M+) Removed
  13. GOM Audio – Music, Sync lyrics (1M+) Updated
  14. TV – All About Video (1M+) Updated
  15. Guninday (1M+) Updated
  16. Item mania (1M+) Removed
  17. LOTTE WORLD Magicpass (1M+) Updated
  18. Bounce Brick Breaker (1M+) Removed
  19. InfiniteSlice Infinite Slice (1M+) Removed
  20. Norae bang (1M+) Updated
  21. SomNote – Beautiful note app (1M+) Removed
  22. Korea Subway Info: Metroid (1M+) Updated
  23. GoodTVBible (1M+) Removed
  24. Happy Mobile Happy Screen (1M+) Updated
  25. UBhind: Mobile Tracker Manager (1M+) Removed
  26. Mafu Driving Free (1M+) Removed
  27. Girl singer WorldCup (500K+) Updated
  28. FSP Mobile (500K+) Removed
  29. Audio Recorder (100K+) Removed
  30. Catmera (100K+) Removed
  31. Cultureland Plus (100K+) Updated
  32. Simple Air (100K+) Removed
  33. Lotteworld Seoul Sky (100K+) Updated
  34. Snake Ball Lover (100K+) Removed
  35. Play Geto (100K+) Removed
  36. Memory Memo (100K+) Removed
  37. PB Stream (100K+) Removed
  38. Money Manager (Remove Ads) (100K+) Updated
  39. Inssaticon – Cute Emoticons (100K+) Removed
  40. ECloud (100K+) Updated
  41. SCinema (50K+) Updated
  42. Ticket Office (50K+) Updated
  43. Lotteworld Aquarium (50K+) Updated
  44. Lotteworld Water Park (50K+) Updated
  45. T map for KT, LGU+ (50K+) Removed
  46. Random number (50K+) Updated
  47. AOG Loader (10K+) Removed
  48. GOM Audio Plus – Music, Sync l (10K+) Updated
  49. Swipe Brick Breaker 2 (10K+) Removed
  50. Safe Home (10K+) Removed
  51. Chuncheon (10K+) Removed
  52. Fantaholic (5K+) Removed
  53. Cinecube (5K+) Updated
  54. TNT (5K+) Removed
  55. Bestcare Health (1K+) Removed
  56. InfinitySolitaire (1K+) Removed
  57. New Safe (1K+) Removed
  58. Cashnote (1K+) Removed
  59. TDI News (1K+) Removed
  60. Eyesting (500+) Removed
  61. TingSearch (50+) Removed
  62. Krieshachu Fantastic (50+) Removed
  63. Yeonhagoogokka (10+) Removed

In addition, according to the report, the data collection mechanism is usually set to activate every two days, sending a list of installed applications, geographic location history, MAC addresses of devices connected via Bluetooth and WiFi, and other information to the C2 server.

The amount of data collected is determined by the user rights granted to the infected application during installation and the Android version.

Although Android 11 and later versions are better protected against arbitrary data collection, the researchers found that Goldoson had sufficient rights to obtain sensitive data in 10 percent of apps even in newer versions of the operating system, the report states.

Ad revenue is generated by downloading the HTML code and inserting it into a custom hidden WebView and using it to perform multiple URL visits.

There is no indication of this activity on the victim’s device.

In January, Google’s Threat Analysis Group shut down thousands of accounts linked to a group called “Dragonbridge” or “Spamouflage Dragon” that was spreading Chinese disinformation on various platforms.

According to the tech giant, Dragonbridge receives new Google accounts from crowdsourced account sellers, and at times they have even used accounts previously used by financially motivated actors to publish disinformation videos and blogs.

Read all the Latest Tech News here.

Related posts

Leave a Comment