New Malicious Software Found in Popular Android Applications
A malicious software for Android, known as “Goldoson”, has been discovered by McAfee specialists inside 60 applications with over 100 million downloads on Google Play. The software is part of a third-party library added unconsciously by developers to their applications.
Goldoson can collect data on installed applications, devices connected via Bluetooth and Wi-Fi, and the user’s GPS location. It can also conduct advertising fraud without the user’s consent.
The Goldoson app records the device and receives its configuration from a disguised remote server. The configuration determines which functions of data theft and clicks by advertising need to be performed on an infected device and how often.
Data collection occurs every two days, sending a list of installed applications, locations history, MAC addresses connected to Bluetooth and WiFi, and other information to the C2 server. The data collection level depends on the permits given by the infected application when installing it and the Android version.
The click function is carried out by implementing the HTML code in the hidden WebView and visiting several URL addresses to generate advertising income. It runs silently in the background, without the user’s knowledge.
McAfee is a member of the Google App Defense Alliance Alliance, and the researchers informed Google about their conclusions. Google has warned developers of affected applications of the problem, and many have removed the problem library.
Users should install the latest available update for the affected application from Google Play. However, the malicious software may also exist in third-party android application stores. Signs of infection include the device overheating, rapid battery discharge, and high internet data usage.
The discovery of Goldoson highlights the importance of developers being cautious about third-party libraries and the need for regular security checks on their applications.