Malware hits 60 Google Play Store apps

According to McAfee, a recently identified Android malware known as ‘Goldoson’ infiltrated some of the popular mobile apps available on Google Play Store. The malware was found in a total of 60 legitimate apps, which have collectively been downloaded 100 million times. Researchers from McAfee found that the Android malware can gather sensitive data such as the user’s installed apps, WiFi details, GPS locations, and Bluetooth-connected devices. Additionally, the malware can conduct ad fraud by clicking on ads in the background without the user’s knowledge or consent.

How Goldoson works

As apps containing the Goldoson library run, the library registers the user’s device and retrieves remote configurations. The library’s name and the domain of the remote server differ for each application and are concealed through obfuscation techniques. These configurations include parameters for each functionality and specify how often the library runs its components.

Using these parameters, the library periodically pulls device information and sends it to the remote servers. The library loads web pages without user awareness, which can be exploited to display ads for financial gain. The library loads HTML code and injects it into a customized and hidden WebView, generating hidden traffic by recursively visiting URLs.

Data collected by the library is sent out every two days, but the cycle can be changed by the remote configuration. The information includes sensitive data such as the list of installed applications, location history, MAC address of nearby Bluetooth and Wi-Fi devices, and more.

Google Play regards the list of installed apps on a user’s device as sensitive and personal information and therefore requires a specific permission declaration to access it. With Android 11 and above, users are provided with greater protection against apps that attempt to collect information on all installed apps. However, despite the recent Android update, approximately 10% of the apps that contain Goldoson have been found to possess the “QUERY_ALL_PACKAGES” permission, which grants them access to app data.

According to reports, Google has informed the app developers that their apps violate Google Play’s policies, and they must make changes to comply. Some apps have been removed from Google Play, while others have been updated by their respective developers. Users are advised to update their apps to the latest versions to eliminate the identified threat from their devices.

Earlier this year, Google’s Threat Analysis Group acted against a group known as ‘DRAGONBRIDGE‘ or ‘Spamouflage Dragon’ by terminating thousands of associated accounts that were spreading pro-Chinese disinformation on multiple platforms.

How to protect mobile applications

Users can follow the below ways to safeguard their devices and personal data from such attacks:

Keep your mobile operating system and apps up to date: Ensure that your mobile device’s operating system and apps are updated to the latest versions. This will ensure that any known security vulnerabilities are patched, reducing the risk of cyber-attacks.
Only download apps from trusted sources: Download apps only from trusted sources such as Google Play or Apple App Store. Avoid downloading apps from third-party app stores or unverified sources.
Read app permissions and reviews: Before downloading an app, carefully read its permissions to understand what data it requires access to and why. Additionally, read user reviews to identify any potential issues or concerns.
Use a mobile security solution: Consider using a mobile security solution that can help detect and remove malicious apps, as well as provide additional security features such as app scanning and protection against phishing attacks.
Avoid connecting to unsecured networks: Avoid connecting to unsecured Wi-Fi networks as they can be used by attackers to intercept your data.
Be cautious with app links: Be careful when clicking on app links, especially from unknown sources. Verify that the link is legitimate before clicking on it.